Add configurable multi-provider SSO, SSO-only mode, and JIT controls via auth.yml (#441)

* Add configuration and logic for dynamic SSO provider support and stricter JIT account creation

- Introduced `config/auth.yml` for centralized auth configuration and documentation.
- Added support for multiple SSO providers, including Google, GitHub, and OpenID Connect.
- Implemented stricter JIT SSO account creation modes (`create_and_link` vs `link_only`).
- Enabled optional restriction of JIT creation by allowed email domains.
- Enhanced OmniAuth initializer for dynamic provider setup and better configurability.
- Refined login UI to handle local login disabling and emergency super-admin override.
- Updated account creation flow to respect JIT mode and domain checks.
- Added tests for SSO account creation, login form visibility, and emergency overrides.

# Conflicts:
#	app/controllers/sessions_controller.rb

* remove non-translation

* Refactor authentication views to use translation keys and update locale files

- Extracted hardcoded strings in `oidc_accounts/link.html.erb` and `sessions/new.html.erb` into translation keys for better localization support.
- Added missing translations for English and Spanish in `sessions` and `oidc_accounts` locale files.

* Enhance OmniAuth provider configuration and refine local login override logic

- Updated OmniAuth initializer to support dynamic provider configuration with `name` and scoped parameters for Google and GitHub.
- Improved local login logic to enforce stricter handling of super-admin override when local login is disabled.
- Added test for invalid super-admin override credentials.

* Document Google sign-in configuration for local development and self-hosted environments

---------

Co-authored-by: Josh Waldrep <joshua.waldrep5+github@gmail.com>

test/controllers/oidc_accounts_controller_test.rb

@@ -107,6 +107,50 @@ class OidcAccountsControllerTest < ActionController::TestCase
     assert_select "strong", text: new_user_auth["email"]
   end
 
+  test "does not show create account button when JIT link-only mode" do
+    session[:pending_oidc_auth] = new_user_auth
+
+    AuthConfig.stubs(:jit_link_only?).returns(true)
+    AuthConfig.stubs(:allowed_oidc_domain?).returns(true)
+
+    get :link
+    assert_response :success
+
+    assert_select "h3", text: "Create New Account"
+    # No create account button rendered
+    assert_select "button", text: "Create Account", count: 0
+    assert_select "p", text: /New account creation via single sign-on is disabled/
+  end
+
+  test "create_user redirects when JIT link-only mode" do
+    session[:pending_oidc_auth] = new_user_auth
+
+    AuthConfig.stubs(:jit_link_only?).returns(true)
+    AuthConfig.stubs(:allowed_oidc_domain?).returns(true)
+
+    assert_no_difference [ "User.count", "OidcIdentity.count", "Family.count" ] do
+      post :create_user
+    end
+
+    assert_redirected_to new_session_path
+    assert_equal "SSO account creation is disabled. Please contact an administrator.", flash[:alert]
+  end
+
+  test "create_user redirects when email domain not allowed" do
+    disallowed_auth = new_user_auth.merge("email" => "newuser@notallowed.com")
+    session[:pending_oidc_auth] = disallowed_auth
+
+    AuthConfig.stubs(:jit_link_only?).returns(false)
+    AuthConfig.stubs(:allowed_oidc_domain?).with(disallowed_auth["email"]).returns(false)
+
+    assert_no_difference [ "User.count", "OidcIdentity.count", "Family.count" ] do
+      post :create_user
+    end
+
+    assert_redirected_to new_session_path
+    assert_equal "SSO account creation is disabled. Please contact an administrator.", flash[:alert]
+  end
+
   test "should create new user account via OIDC" do
     session[:pending_oidc_auth] = new_user_auth