Users should be able tu sign up automatically
if their current account is not eligible
to join the group or if they have no gitlab account

Prevents access to group resources when user hasn't signed in with SAML
and SSO enforcement is turned on.

Uses the session to track which SAML group the user has signed in with.
This works using global GitLab::Session from the policy via SsoState.

Ensure it isn't possible to link accounts with a request that starts at
the identity provider, as this would allow a malicious group or IdP to
link accounts for arbitrary users tricked into visiting that IdP.

Ensure it isn't possible to link accounts with a request that starts at
the identity provider, as this would allow a malicious group or IdP to
link accounts for arbitrary users tricked into visiting that IdP.

This will allow Group SAML to be used for signing in to GitLab.com
Initially this will be behind the feature flag:
"group_saml_allows_sign_in_to_gitlab" so we can roll it out per group.

Implements Auth::GroupSaml::User to process callback when signed out.
Updates Groups::OmniauthCallbacksController to handle more complicated
redirect flows.

Enables frozen string in the following:

* ee/app/controllers/**/*.rb
* ee/app/finders/**/*.rb

Partially addresses gitlab-org/gitlab-ce/#47424.

before_filter is deprecated in Rails 5, we should rather
use before_action