Add exemption for ACS endpoint

In a SAML scenario we don't get any strict or lax cookie send for
the ACS endpoint. Since we have some legacy code in Nextcloud
(direct PHP files) the enforcement of lax cookies is performed here
instead of the middleware.

This means we cannot exclude some routes from the cookie validation,
which normally is not a problem but is a little bit cumbersome for
this use-case.

Once the old legacy PHP endpoints have been removed we can move
the verification into a middleware and also adds some exemptions.

Not super awesome code to have but the best that I could come up
with that doesn't add another ton of technical debt.