SAML Enforcement session is not set when using 2FA on GitLab
Problem
In Groups::OmniauthCallbacksController we call store_active_saml_session on sign_in and on link_identity. However when using 2FA users are instead shown a page where a 2FA token can be entered via prompt_for_two_factor.
Solution
The naive solution is to call store_active_saml_session from prompt_for_two_factor when using Group SSO, however it would be more correct to do so after the 2FA is complete. To take that approach we'll need to think about how to pass on our intention to store this.