I need to understand how the function authenticate_user_login handles non-core authentication plug-ins, in particular Shibboleth.
In Moodle 3.5 code auth/shibboleth/index.php around line 54 there is this test,
if ($shibbolethauth->user_login($frm->username, $frm->password)
&& $user = authenticate_user_login($frm->username, $frm->password, false, $reason, false))
which fails because the second condition $user = authenticate_user_login($frm->username, $frm->password, false, $reason, false) returns false.
Tracing authenticate_user_login in lib/moodlelib.php I see that the execution does not enter any of the code blocks and therefore exits with False. The content of the $auth array explains that. It goes through the authentication mechanisms of core Moodle, but not Shibboleth which is a plug-in (and activated).
Could somebody explain to me how authenticate_user_login is expected to return True, when the function does not iterate through an auth = 'shib' block.