Implement SAML 2 external provider

[mraerino]

- Summary

These changes will enable GoTrue to perform SSO with any SAML 2.0 compliant auth provider.

It is based on the mostly stable lib gosaml2

Changes:

• /authorize?provider=saml will redirect to the SAML provider
• /saml/acs processes the SAML callback post data
• /saml/metadata exposes SAML metadata
• config.external.saml accepts provider config
• auto-generates cert & key if no custom keypair provided

Config for the provider at external.saml looks like :

{
    "enabled": true,
    "metadata_url": "<URL to IdP metadata>",
    "api_base": "<URL of GoTrue API root>",
    "name": "<override provider name in identity widget>",
    "signing_cert": "<PEM-encoded X509 cert for signing>",
    "signing_key": "<PEM-encoded private key for singing>"
}

There is a PR for the netlify-identity-widget to support this provider and allow provider names overrides: netlify/netlify-identity-widget#150

Tested with:

• G Suite
• Okta
• Azure AD
• Auth0

- Test plan

My tests cover:

• One successful authorization flow
• Field value verification in authorization flow
• Some fields of the SP metadata endpoint

- Description for the changelog

Add support for external SAML 2 SSO provider

- A picture of a cute animal (not mandatory but encouraged)

---

Disclaimer: Netlify is paying me for this. This is based on previous negotiations with them.

[vmorsell]

Great work @mraerino! Any idea when it will be merged and implemented?

[mraerino]

@vmorsell I don't know. Someone from Netlify still needs to review this. They seem pretty busy with things these days.

If you want to use this feature in your own gotrue deployment you could just use my branch and build it yourself. Should be straight-forward, at least when using the Dockerfile.