refactor: improve SSO provider management and logging

- Simplified `name_id_format` selection logic in SSO provider form.
- Switched raw database query to sanitized SQL in client secret tests.
- Added condition to log JIT account creation only when identity persists.
- Sanitized failure reasons in SSO login failure handling.
- Added SSO provider connection test policy tests for super admin and regular users.

app/controllers/oidc_accounts_controller.rb

@@ -118,17 +118,19 @@ class OidcAccountsController < ApplicationController
 
     if @user.save
       # Create the OIDC (or other SSO) identity
-      OidcIdentity.create_from_omniauth(
+      identity = OidcIdentity.create_from_omniauth(
         build_auth_hash(@pending_auth),
         @user
       )
 
-      # Log JIT account creation
-      SsoAuditLog.log_jit_account_created!(
-        user: @user,
-        provider: @pending_auth["provider"],
-        request: request
-      )
+      # Only log JIT account creation if identity was successfully created
+      if identity.persisted?
+        SsoAuditLog.log_jit_account_created!(
+          user: @user,
+          provider: @pending_auth["provider"],
+          request: request
+        )
+      end
 
       # Clear pending auth from session
       session.delete(:pending_oidc_auth)

app/controllers/sessions_controller.rb

@@ -144,11 +144,15 @@ class SessionsController < ApplicationController
   end
 
   def failure
+    # Sanitize reason to known values only
+    known_reasons = %w[sso_provider_unavailable sso_invalid_response sso_failed]
+    sanitized_reason = known_reasons.include?(params[:message]) ? params[:message] : "sso_failed"
+
     # Log failed SSO attempt
     SsoAuditLog.log_login_failed!(
       provider: params[:strategy],
       request: request,
-      reason: params[:message]
+      reason: sanitized_reason
     )
 
     message = case params[:message]