Add configurable multi-provider SSO, SSO-only mode, and JIT controls via auth.yml (#441)

* Add configuration and logic for dynamic SSO provider support and stricter JIT account creation

- Introduced `config/auth.yml` for centralized auth configuration and documentation.
- Added support for multiple SSO providers, including Google, GitHub, and OpenID Connect.
- Implemented stricter JIT SSO account creation modes (`create_and_link` vs `link_only`).
- Enabled optional restriction of JIT creation by allowed email domains.
- Enhanced OmniAuth initializer for dynamic provider setup and better configurability.
- Refined login UI to handle local login disabling and emergency super-admin override.
- Updated account creation flow to respect JIT mode and domain checks.
- Added tests for SSO account creation, login form visibility, and emergency overrides.

# Conflicts:
#	app/controllers/sessions_controller.rb

* remove non-translation

* Refactor authentication views to use translation keys and update locale files

- Extracted hardcoded strings in `oidc_accounts/link.html.erb` and `sessions/new.html.erb` into translation keys for better localization support.
- Added missing translations for English and Spanish in `sessions` and `oidc_accounts` locale files.

* Enhance OmniAuth provider configuration and refine local login override logic

- Updated OmniAuth initializer to support dynamic provider configuration with `name` and scoped parameters for Google and GitHub.
- Improved local login logic to enforce stricter handling of super-admin override when local login is disabled.
- Added test for invalid super-admin override credentials.

* Document Google sign-in configuration for local development and self-hosted environments

---------

Co-authored-by: Josh Waldrep <joshua.waldrep5+github@gmail.com>

test/controllers/password_resets_controller_test.rb

@@ -27,4 +27,25 @@ class PasswordResetsControllerTest < ActionDispatch::IntegrationTest
       params: { user: { password: "password", password_confirmation: "password" } }
     assert_redirected_to new_session_url
   end
+
+  test "all actions redirect when password features are disabled" do
+    AuthConfig.stubs(:password_features_enabled?).returns(false)
+
+    get new_password_reset_path
+    assert_redirected_to new_session_path
+    assert_equal "Password reset via Sure is disabled. Please reset your password through your identity provider.", flash[:alert]
+
+    post password_reset_path, params: { email: @user.email }
+    assert_redirected_to new_session_path
+    assert_equal "Password reset via Sure is disabled. Please reset your password through your identity provider.", flash[:alert]
+
+    get edit_password_reset_path(token: @user.generate_token_for(:password_reset))
+    assert_redirected_to new_session_path
+    assert_equal "Password reset via Sure is disabled. Please reset your password through your identity provider.", flash[:alert]
+
+    patch password_reset_path(token: @user.generate_token_for(:password_reset)),
+      params: { user: { password: "password", password_confirmation: "password" } }
+    assert_redirected_to new_session_path
+    assert_equal "Password reset via Sure is disabled. Please reset your password through your identity provider.", flash[:alert]
+  end
 end