In the "authentication-shibboleth.cfg" the configuration "sword.compatability" is misspelled, and therefore doesn't work.
It should instead be: "sword.compatibility" , as that is the name of the Configuration that the ShibAuthentication class actually looks for:
Because of this misspelling, "sword.compatibility" is always enabled with Shibboleth, despite the config file implying that it is disabled by default.
This means that if you have both Shibboleth and Password authentication enabled, if Shibboleth is listed first, it will be used instead of Password authentication, and you'll see messages like this one in your log files:
org.dspace.authenticate.ShibAuthentication @ [user-email] has been authenticated via shibboleth using password-based sword compatibility mode.
(This essentially means that "ShibAuthentication" hijacks the password authentication by default, and doesn't allow PasswordAuthentication to perform its processing for Special Groups, etc)
The Shibboleth documentation is also incorrect and misspells this configuration: