feat: SAML Authentication

[dpgaspar]

Description

Add SAML 2.0 authentication support (AUTH_SAML) to Flask-AppBuilder, following the same patterns used by OAuth authentication.

New modules (flask_appbuilder/security/saml/):

• types.py — TypedDict definitions for all SAML data structures (provider config, SP config, security settings, flask request, user info)
• utils.py — Pure utility functions: map_saml_attributes() (maps SAML assertion attributes to FAB user fields) and fetch_idp_metadata()
• metadata.py — SP metadata XML generation via python3-saml

Security manager (manager.py):

• auth_user_saml() — Main authentication method (user lookup, registration, role sync, info update)
• get_saml_login_redirect_url() / get_saml_userinfo() / get_saml_logout_redirect_url() — SAML protocol methods delegated from the view
• get_saml_provider() / get_saml_settings() — Provider config helpers
• _prepare_saml_request() / _get_saml_auth() — Internal helpers for python3-saml integration
• _saml_calculate_user_roles() — Role calculation with AUTH_ROLES_MAPPING and jmespath support
• New properties: saml_providers, saml_config

Views (views.py):

• AuthSAMLView — Endpoints for login (/login/<idp>), ACS (/saml/acs/), SLO (/saml/slo/), logout, and SP metadata (/saml/metadata/)
• UserSAMLModelView — User model view for SAML auth type
• View is thin — delegates all SAML protocol logic to the security manager

Other changes:

• const.py — Added AUTH_SAML = 5
• setup.py — Added saml extras_require (python3-saml>=1.15.0)
• requirements/extra.txt — Added python3-saml dependency
• sqla/manager.py — Register SAML user view datamodel
• docs/security.rst — Full SAML documentation section (configuration, endpoints, role mapping)

Features:

• SP-initiated SSO with multiple IdP support
• Single Logout (SLO) — SP-initiated and IdP-initiated
• Configurable attribute mapping from SAML assertions to FAB user fields
• Role sync at login via AUTH_ROLES_MAPPING and jmespath expressions
• Auto user registration with AUTH_USER_REGISTRATION
• User info updates from SAML assertions on each login
• SP metadata endpoint for IdP configuration
• Login page with IdP selection (auto-redirect for single IdP)

Testing:

• 25 tests covering: attribute mapping, user registration, role sync, role mapping, jmespath roles, inactive users, email fallback, login page behavior, ACS endpoint

ADDITIONAL INFORMATION

• Has associated issue:
• Is CRUD MVC related.
• Is Auth, RBAC security related.
• Changes the security db schema.
• Introduces new feature
• Removes existing feature

[aminghadersohi]

I had my claude code do a review :D ignore any nonsense

[dpgaspar]

I had my claude code do a review :D ignore any nonsense

Great comments, I've addressed them all with claude also ;)