Comment 5 for bug 1974251

After more digging I've found that it's not the libpem-systemd package itself, but one of commands that comes from systemd.

systemd-tmpfiles --create

That command is executed during package installation in postinst script and it sets permissions on a lot of system directories, according to some configuration file. One of those directories is this one:

root@apache:~# ls -ld /run/shibboleth/
drwxr-x--- 2 _shibd _shibd 4096 May 27 12:18 /run/shibboleth/

After running the systemd-tmpfiles --create permissions of that directory are changed to following:

root@apache:~# ls -ld /run/shibboleth/
drwxr-xr-x 2 _shibd _shibd 4096 May 27 12:18 /run/shibboleth/

so in the end running

chmod 755 on /run/shibboleth solves the issue