Regression introduced in e9f9150b

GlobalSettings configured via environment variables will continue to take precendence, so this change is backwards compatible.

- `.presence` is added to string values, since 'unset' site settings are never `nil`
- saml_force_domains is split on `|` and `,` because site settings expect a `|`, while the old global setting expected a `,`
- Specs are migrated to use SiteSettings, because GlobalSettings do not override SiteSettings in test mode

Follow-up to d137e981. If the cross-site POST returns a Set-Cookie header, it will overwrite the existing session, and we'll lose the redirect URL. This commit instructs rack not to persist a session cookie in this response.

SAML flows end in a cross-site POST back to Discourse. We have the SameSite=lax attributes on our session cookies so this cross-site POST request has no cookies, and therefore we are unable to check any values in the `session`.

This commit makes the browser re-submit the POST request in a SameSite context (i.e. with cookies). Upon receiving a cross-site POST, it renders a simple HTML form with some auto-submit JS. This form submits exactly the same data to the same URL, but this time the request will include the cookies, and authentication can complete properly

The prefix is added by the helper. Adding it here causes it to be prefixed twice.

This centralises our logic for accessing settings. This particular commit should be a no-op. I intend to followup with the new site setting definitions in a future commit.

This means that the name/title can be set per-site and per-locale. This change is backwards-compatible - any existing sites which have configured the GlobalSettings will use those cluster-wide.

Putting this logic into the omniauth strategy is much cleaner because:
- we no longer need a Rails controller and the associated `custom_url` parameter
- we can re-use the `authn_request` instance which is automatically generated by the omniauth strategy, rather than re-implementing that logic
- the behavior is decided at runtime, rather than during initialization. This makes it testable, and is another step on the way to making the plugin multisite-compatible

This commit also introduces a spec for the feature.

This will allow much easier testing of the strategy, and is one more step towards making the SAML plugin multisite-compatible

For `name`, the previous intention was to use the `fullName` attribute, and then fallback to "firstname lastname". However, a bug in the implementation meant that the `fullName` was skipped.

This commit updates the logic to lean on omniauth-saml's attribute_statements for the fullName, firstName and lastName attributes, and also updates the priority logic so that fullName is indeed prioritized.

The styling no works with Discourse's current login UI, so let's remove it. The OnceOff job was to migrate from an old data format more than 4 years ago. It's exceptionally unlikely that anyone is going to upgrade from such an old version. If they do, they could still extract the data manually and migrate it.

Co-authored-by: Bastien Le Querrec <blq@laquadrature.net>

If your IDP transmits `cn=groupname,cn=groups,dc=example,dc=com` you can set this to true to use only `groupname`. This is useful if you want to keep the standard group name length of Discourse (20 characters).

Co-authored-by: Andreas Teuber <andreas.teuber@passiv.de>

Our hosted sites running in stable branch have issues with `rexml` gem and returning "missing gem" error.

Recent commit 9d836281 is not compatible with old versions of Discourse.

We started seeing [this error](https://github.com/onelogin/ruby-saml/issues/577) on some of our sites, which has been fixed on 1.12.1.

Now we can sync or create user fields based on the new `saml_user_field_statements` environment variable's mapping.

These were removed from core in https://github.com/discourse/discourse/commit/d2bceff133ac152678a1407d45fea260a0fe8536

In case the user isn't assigned to any (non-automatic) group, the user
wasn't added.

This makes sure the saml_request can only insert strings into the HTML
form.

* Support for GlobalSetting.saml_base_url

* Push file with class method...

Co-authored-by: Richard <richard@discoursehosting.com>

* RFC: groups full sync

* Update lib/saml_authenticator.rb

Co-Authored-By: Robin Ward <robin.ward@gmail.com>

* Update lib/saml_authenticator.rb

Co-Authored-By: Robin Ward <robin.ward@gmail.com>

* Update README.md

Co-Authored-By: Robin Ward <robin.ward@gmail.com>