refactor: improve SSO provider management and logging

- Simplified `name_id_format` selection logic in SSO provider form.
- Switched raw database query to sanitized SQL in client secret tests.
- Added condition to log JIT account creation only when identity persists.
- Sanitized failure reasons in SSO login failure handling.
- Added SSO provider connection test policy tests for super admin and regular users.

app/controllers/sessions_controller.rb

@@ -144,11 +144,15 @@ class SessionsController < ApplicationController
   end
 
   def failure
+    # Sanitize reason to known values only
+    known_reasons = %w[sso_provider_unavailable sso_invalid_response sso_failed]
+    sanitized_reason = known_reasons.include?(params[:message]) ? params[:message] : "sso_failed"
+
     # Log failed SSO attempt
     SsoAuditLog.log_login_failed!(
       provider: params[:strategy],
       request: request,
-      reason: params[:message]
+      reason: sanitized_reason
     )
 
     message = case params[:message]