Fix GraphQL query returning less than expected groups

What does this MR do and why?

GraphQL filters out the SAML groups where the current user is a member and the SAML session has expired because the needs_new_sso_session condition in EE::GroupPolicy evaluates to true for expired SAML sessions which in turn makes the read_group policy to evaluate to false. This results in GraphQL returning less groups than queried.

Here we filter out the inactive SAML session groups from the database itself and return the expected number of groups requested by GraphQL query.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Query plans

1. Before - https://console.postgres.ai/gitlab/gitlab-production-main/sessions/29957/commands/93065
2. After - https://console.postgres.ai/gitlab/gitlab-production-main/sessions/29957/commands/93068

How to set up and validate locally

1. Follow Group SAML steps to set up SAML locally.
2. Create a new group called SAML-group and enable SAML SSO through https://gdk.test:3000/groups/saml-group/-/saml.
3. Add a new user (say user1) to the above group.
4. Open the rails console and run the following:

user = User.find(<user1-id>)
Organizations::GroupsFinder.new(user).execute

The SAML group won't be returned.

5. Now simulate SAML sign-in by:

Gitlab::Session.with_session({ active_group_sso_sign_ins: { SamlProvider.last.id => Time.current } }) do
  Organizations::GroupsFinder.new(user).execute
end

The SAML group will be returned.

Related to #461083 (closed)