SERVER-82143 introduced the `supportsHumanFlows` field to each IdP's configuration. When this is set to false, the IdP is understood to be used for machine/service accounts who do not participate in human-based flows (authorization code, device authorization grant, etc.) for token acquisition. Subsequently, `clientId` is optional for these IdPs and omitted from the first SASL reply.
Drivers has indicated that they will typically perform one-shot authentication by directly presenting a token when authenticating service accounts. As a result, the `matchPattern` field holds little value for machine-flow IdPs, and it is currently mandatory when more than 1 IdP is configured on the server.
We should make `matchPattern` optional for all IdPs that have `supportsHumanFlows` set to false. If an administrator chooses to specify one anyway, then it should be considered along with all other IdPs with a `matchPattern` when a driver presents a `principalName` up front.