Fix Group SAML mismatched extern_uid redirect loop

What does this MR do and why?

Describe in detail what your merge request does and why.

Fixes #382256 (closed)

Given the following scenario:

• User is already authenticated using a normal/local GitLab sign-in
• User has previously authenticated to this group using their SSO provider
• The Name ID from the IdP, which GitLab maps to our extern_uid has changed at some point (maybe the IdP is configured to use email address, which we discourage because it could change)

The current behavior prior to this fix is the user entered into a redirect loop and was unable to sign-in.

After this fix, if the email address sent by the SAML IdP matches a verified email address on the user account, and no other identity exists with the new/changed extern_uid, we update the user's identity and allow them to sign-in.

If the extern_uid does not match and neither does the email address, we redirect to the root (dashboard) path and display an error message (see screenshot). This ensures the redirect loop never happens in the event of failures.

This change does not address a case where a user is completely signed out from GitLab.com and tries to sign in to Group SAML with a mismatched extern_uid. That case might also need improving but at least it doesn't result in a redirect loop.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

When extern_uid changes and email address doesn't match

When extern_uid changes but Name ID from SAML is already taken

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.