refactor: improve SSO provider management and logging

- Simplified `name_id_format` selection logic in SSO provider form.
- Switched raw database query to sanitized SQL in client secret tests.
- Added condition to log JIT account creation only when identity persists.
- Sanitized failure reasons in SSO login failure handling.
- Added SSO provider connection test policy tests for super admin and regular users.

test/models/sso_provider_test.rb

@@ -96,9 +96,11 @@ class SsoProviderTest < ActiveSupport::TestCase
     assert_equal "super_secret_value", provider.client_secret
 
     # Raw database value should be encrypted (not plain text)
-    raw_value = ActiveRecord::Base.connection.execute(
-      "SELECT client_secret FROM sso_providers WHERE id = '#{provider.id}'"
-    ).first["client_secret"]
+    raw_value = ActiveRecord::Base.connection.select_value(
+      ActiveRecord::Base.sanitize_sql_array(
+        [ "SELECT client_secret FROM sso_providers WHERE id = ?", provider.id ]
+      )
+    )
 
     assert_not_equal "super_secret_value", raw_value
   end

test/policies/sso_provider_policy_test.rb

@@ -86,6 +86,14 @@ class SsoProviderPolicyTest < ActiveSupport::TestCase
     assert_not SsoProviderPolicy.new(@regular_user, @provider).toggle?
   end
 
+  test "super admin can test connection" do
+    assert SsoProviderPolicy.new(@super_admin, @provider).test_connection?
+  end
+
+  test "regular user cannot test connection" do
+    assert_not SsoProviderPolicy.new(@regular_user, @provider).test_connection?
+  end
+
   test "scope returns all providers for super admin" do
     SsoProvider.create!(
       strategy: "google_oauth2",