Remove the AAIdentity configuration (internally the constant name for this
config is AUTHZ_IDENTITY_KEY).

AAIdentity:  "This value is the certificate identity of the Shib AA. If this is
included, the https connection to the AA will only be authorized if the AA's
certificate matches."

Since we are now mainly using SAML metadata (programmatic AA configuration is
possible though), this configuration does not make sense.  It is really a
holdover from when one attribute authority was specified directly in the query
PIP's configuration.

The only clientside authorization (here the client is the query PIP) possible
now is host based authorization.  SAML metadata does not allow for particular
DNs for particular attribute authorities to be specified.