Core just updated rexml to 3.2.6 so we will need to update the one here as well

Bumps [word-wrap](https://github.com/jonschlinkert/word-wrap) from 1.2.3 to 1.2.4.
- [Release notes](https://github.com/jonschlinkert/word-wrap/releases)
- [Commits](https://github.com/jonschlinkert/word-wrap/compare/1.2.3...1.2.4

)

---
updated-dependencies:
- dependency-name: word-wrap
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [semver](https://github.com/npm/node-semver) from 6.3.0 to 6.3.1.
- [Release notes](https://github.com/npm/node-semver/releases)
- [Changelog](https://github.com/npm/node-semver/blob/v6.3.1/CHANGELOG.md)
- [Commits](https://github.com/npm/node-semver/compare/v6.3.0...v6.3.1

)

---
updated-dependencies:
- dependency-name: semver
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Co-authored-by: discoursebuild <build@discourse.org>

Bumps [json5](https://github.com/json5/json5) from 2.2.1 to 2.2.2.
- [Release notes](https://github.com/json5/json5/releases)
- [Changelog](https://github.com/json5/json5/blob/main/CHANGELOG.md)
- [Commits](https://github.com/json5/json5/compare/v2.2.1...v2.2.2

)

---
updated-dependencies:
- dependency-name: json5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

And add a option to add multiple certificates in site setting with "|" separator.

This commit already added in a brach and deployed to a client before. https://github.com/discourse/discourse-saml/commit/ddeb2615529eb0f9cac9621e247feebf31e65fee

Co-authored-by: discoursebuild <build@discourse.org>

* DEV: Bump rubocop-discourse

* Fix rubocop violations

Co-authored-by: discoursebuild <build@discourse.org>

* DEV: Update CI workflows
* DEV: Update CI setup
* prettier

Co-authored-by: discoursebuild <build@discourse.org>
Co-authored-by: Jarek Radosz <jradosz@gmail.com>

Co-authored-by: discoursebuild <build@discourse.org>

Co-authored-by: discoursebuild <build@discourse.org>

`name` is nil... so this logic was not working at all

In production, the SAML omniauth strategy returns some very complex data structures in the `extra` data. These have circular references, and can cause a "stack level too deep" error when serializing to JSON. This commit simplifies thing so we only try to store the attributes hash.

All data will be automatically migrated from `oauth2_user_infos` to the `user_associated_accounts` table

There is only one SAMLAuthenticator instance per-process. Storing user-specific state in it is risky (although, in our default unicorn-based config, is unlikely to cause issues because we only handle one concurrent request per process).

This commit also updates our implementation to use the built-in `#single` and `#multi` methods provided by the SAML gem. This avoids the need for our custom `&.first`, `&.split` and `&.join` implementation.

Starting from https://github.com/discourse/discourse/commit/c2022521906b3c44a8a21e8eb2527c8650e06a18 we can pass to `UsernameSuggester` an array of inputs parameters and it'll be skipping invalid items and trying next ones.

Co-authored-by: CvX <CvX@users.noreply.github.com>

The change in 245b70d4 means that the CSP middleware now activates for the `/auth/saml` route. That's good, but it also broke things for subfolder installations because the CSP includes the base_path, while the SAML script path did not. This commit fixes that, and adds an integration spec to ensure the script is included in the script_src directive for regular and subfolder sites.

In the vast majority of cases, this wasn't causing a problem because browsers will auto-detect the content-type. However, if any intermediate proxies add the `X-Content-Type-Options: nosniff` header, then the html will be displayed as plain text, and login will be broken.

The SAML spec requires compression for the standard Redirect binding. However, it is not used in the POST binding. This regressed during the refactoring of 95ccea3f

Some variable renames were missed, and some specs are no longer relevant

Core takes care of suggesting usernames during normal signup. Suggesting them here as well can cause unexpected issues (e.g. when staged users sign up).

The SAML plugin currently has a bespoke `auto_create_account` implementation, which **does** need to do its own username suggestion. Therefore this commit moves all the suggestion logic into `auto_create_account`.

An integration spec for staged-user signup is also introduced.

Regression introduced in e9f9150b

GlobalSettings configured via environment variables will continue to take precendence, so this change is backwards compatible.

- `.presence` is added to string values, since 'unset' site settings are never `nil`
- saml_force_domains is split on `|` and `,` because site settings expect a `|`, while the old global setting expected a `,`
- Specs are migrated to use SiteSettings, because GlobalSettings do not override SiteSettings in test mode

Follow-up to d137e981. If the cross-site POST returns a Set-Cookie header, it will overwrite the existing session, and we'll lose the redirect URL. This commit instructs rack not to persist a session cookie in this response.

SAML flows end in a cross-site POST back to Discourse. We have the SameSite=lax attributes on our session cookies so this cross-site POST request has no cookies, and therefore we are unable to check any values in the `session`.

This commit makes the browser re-submit the POST request in a SameSite context (i.e. with cookies). Upon receiving a cross-site POST, it renders a simple HTML form with some auto-submit JS. This form submits exactly the same data to the same URL, but this time the request will include the cookies, and authentication can complete properly