MDL-35153 introduced support for WAYFless URLs in Shibboleth (which is working fine). It does this by checking for an optional "target" parameter passed from an external source. As written the patch doesn't anticipate use cases where both "target" and $SESSION->wantsurl are unset, and you can get a notice like this:

Notice: Undefined property: stdClass::$wantsurl in .../auth/shibboleth/index.php on line 10

More serious is that PARAM_LOCALURL behaves unexpectedly when the user isn't already authenticated. During an authentication scenario target can be set with the referring authentication URL. This is properly cleaned by optional_param, but it still results in $SESSION->wantsurl getting set, albeit empty. This means if you've got a bookmarked location on the Moodle instance in question, you're always getting dumped to the front page instead of the deep link unless you're already authenticated.