Add a post-filtering hashing feature to shorten long attributes, namely ePTIDs

Not an easy problem to address with current APIs. Not sure how useful this is, but for now, I adjusted the existing hash support so that NameID attribute objects can be filtered properly while still producing the hashed serialization (by remoting the hash operation to shibd).

Just not sure how useful it is to produce ugly, 40-byte hex identifiers or if they'll even fit such apps.

Maintaining the filtering requirement is a bit trickier; couple possibilities:

Add a workflow option that runs resolvers either before or after filtering. That's a bit invasive because of the many places executing this workflow now.

Would be ideal to implement it somehow via the attribute serialization step, but that happens in-process too and wouldn't have access to the hash functions. Probably would require a new decoder and attribute class that tracks both pre- and post-hashed values, exposes the pre-hashed to the filter step, but the post-hashed as the serialized form.

This is patently obvious to me now, but the obvious thing to do here is add a resolver plugin that does the hashing and generates a new attribute. That keeps the original around as needed.