Group SAML metadata endpoint

What

• Refactors SamlProvider so the omniauth settings can be used before idp fields have been saved.
• Introduces Group#discovery_token to convey that an anonymous user already knows of a group's existence
• Re-enables the /metadata group SAML endpoint so identity providers can retrieve configuration metadata. Requires the discovery token for this endpoint.
• Links to the metadata endpoint from the Group SAML settings page.

Expands upon https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/5765 which disables the /metadata endpoint.

Why

Some identity providers require metadata XML to set SAML up, and with others there is an expectation it will be provided for ease of use.

Screenshots

Database Checklist

When adding migrations:

• Updated db/schema.rb
• Added a down method so the migration can be reverted
• Added the output of the migration(s) to the MR body

== 20180520211048 AddDiscoveryTokenToNamespaces: migrating ====================
-- add_column(:namespaces, :discovery_token, :string)
   -> 0.0093s
== 20180520211048 AddDiscoveryTokenToNamespaces: migrated (0.0096s) ===========

Does this MR meet the acceptance criteria?

• Changelog entry added, if necessary Group SAML is aimed at GitLab.com but not yet enabled there, and is additionally hidden behind a beta cookie.
• Documentation created/updated
• Tests added for this feature/bug
• Conform by the code review guidelines
  • Has been reviewed by a UX Designer
  • Has been reviewed by a Backend maintainer
  • Has been reviewed by a Database specialist
• EE specific content should be in the top level /ee folder
• Internationalization required/considered
• If paid feature, have we considered GitLab.com plan and how it works for groups and is there a design for promoting it to users who aren't on the correct plan
• End-to-end tests pass (package-qa manual pipeline job)

What are the relevant issue numbers?

Closes https://gitlab.com/gitlab-org/gitlab-ee/issues/6090