Add configurable multi-provider SSO, SSO-only mode, and JIT controls via auth.yml (#441)

* Add configuration and logic for dynamic SSO provider support and stricter JIT account creation

- Introduced `config/auth.yml` for centralized auth configuration and documentation.
- Added support for multiple SSO providers, including Google, GitHub, and OpenID Connect.
- Implemented stricter JIT SSO account creation modes (`create_and_link` vs `link_only`).
- Enabled optional restriction of JIT creation by allowed email domains.
- Enhanced OmniAuth initializer for dynamic provider setup and better configurability.
- Refined login UI to handle local login disabling and emergency super-admin override.
- Updated account creation flow to respect JIT mode and domain checks.
- Added tests for SSO account creation, login form visibility, and emergency overrides.

# Conflicts:
#	app/controllers/sessions_controller.rb

* remove non-translation

* Refactor authentication views to use translation keys and update locale files

- Extracted hardcoded strings in `oidc_accounts/link.html.erb` and `sessions/new.html.erb` into translation keys for better localization support.
- Added missing translations for English and Spanish in `sessions` and `oidc_accounts` locale files.

* Enhance OmniAuth provider configuration and refine local login override logic

- Updated OmniAuth initializer to support dynamic provider configuration with `name` and scoped parameters for Google and GitHub.
- Improved local login logic to enforce stricter handling of super-admin override when local login is disabled.
- Added test for invalid super-admin override credentials.

* Document Google sign-in configuration for local development and self-hosted environments

---------

Co-authored-by: Josh Waldrep <joshua.waldrep5+github@gmail.com>

app/controllers/oidc_accounts_controller.rb

@@ -13,6 +13,10 @@ class OidcAccountsController < ApplicationController
 
     @email = @pending_auth["email"]
     @user_exists = User.exists?(email: @email) if @email.present?
+
+    # Determine whether we should offer JIT account creation for this
+    # pending auth, based on JIT mode and allowed domains.
+    @allow_account_creation = !AuthConfig.jit_link_only? && AuthConfig.allowed_oidc_domain?(@email)
   end
 
   def create_link
@@ -77,10 +81,20 @@ class OidcAccountsController < ApplicationController
       return
     end
 
-    # Create user with a secure random password since they're using OIDC
+    email = @pending_auth["email"]
+
+    # Respect global JIT configuration: in link_only mode or when the email
+    # domain is not allowed, block JIT account creation and send the user
+    # back to the login page with a clear message.
+    unless !AuthConfig.jit_link_only? && AuthConfig.allowed_oidc_domain?(email)
+      redirect_to new_session_path, alert: "SSO account creation is disabled. Please contact an administrator."
+      return
+    end
+
+    # Create user with a secure random password since they're using SSO
     secure_password = SecureRandom.base58(32)
     @user = User.new(
-      email: @pending_auth["email"],
+      email: email,
       first_name: @pending_auth["first_name"],
       last_name: @pending_auth["last_name"],
       password: secure_password,
@@ -92,7 +106,7 @@ class OidcAccountsController < ApplicationController
     @user.role = :admin
 
     if @user.save
-      # Create the OIDC identity
+      # Create the OIDC (or other SSO) identity
       OidcIdentity.create_from_omniauth(
         build_auth_hash(@pending_auth),
         @user