Trim Pac4j entitlements to avoid cookie too large issue.

Currently with KnoxSSO if the user is part of too many groups SAML assertions that we get back from IdP is huge. This cause hadoop-jwt cookie to not set throwing the SSO in a loop.

Knox does not need groups, groups in knox are figured out based on the hadoop-user-group lookup. We should be able to filter out groups from the SAML assertion.