[Initiative] Enterprise SSO Support

[juliuskrah]

Summary

Enable enterprise Single Sign-On (SSO) for GitStore using standards-based federation with external identity providers.

Scope

In scope:

• OIDC federation support for enterprise IdPs.
• SAML federation support through a supported broker/provider integration path.
• Mapping IdP claims (groups, roles) to GitStore scopes and roles.
• Tenant-specific identity configuration for enterprise deployments.
• End-to-end authentication flow tests for enterprise login paths.

Out of scope:

• Building a proprietary identity provider.
• Full redesign of authentication UI.
• SCIM lifecycle provisioning (tracked in [Initiative] SCIM Provisioning for Enterprise Identity #48).

Acceptance Criteria

• Enterprise users can authenticate with external IdPs through configured SSO.
• Claims-to-scope mapping is documented and enforced in API authorization.
• Failure paths (issuer mismatch, invalid audience, expired token) are tested.
• Documentation includes setup examples for at least one OIDC provider and one SAML provider.

Dependencies

• Optional OIDC integration module ([Initiative] OIDC Integration Module #44).
• Optional user-management integration module ([Initiative] Headless User Management Module #45).

Tracking

• Milestone: TBD