DEV: Avoid storing state in the SAMLAuthenticator instance (#61)

There is only one SAMLAuthenticator instance per-process. Storing user-specific state in it is risky (although, in our default unicorn-based config, is unlikely to cause issues because we only handle one concurrent request per process).

This commit also updates our implementation to use the built-in `#single` and `#multi` methods provided by the SAML gem. This avoids the need for our custom `&.first`, `&.split` and `&.join` implementation.