2FA Unlock breaks Group SSO

Problem

Users with SSO and 2FA enabled have reported being unable to sign in after getting locked out of their account.

With password login users are able to click an unlock link emailed to them and sign in again, but our SSO flow doesn't get unblocked by this action.

Steps to reproduce

1. Use GitLab.com or configure GitLab instance with group_saml (https://gitlab.com/gitlab-org/gitlab-development-kit/blob/master/doc/howto/saml.md#gitlab-configuration)
2. Create a Group and configure SAML SSO
3. Enable SSO Enforcement, although this may not be required
4. Enable 2FA for a user
5. Attempt to sign in with SSO for that group
6. Enter an incorrect 2FA code 10 times to trigger a 10 minute lock on sign ins
7. Hit 500 error, although an email is still sent
8. Check email and click the unlock link sent from GitLab
9. Navigate back to the SSO sign in page and attempt sign in if presented with a form.
10. Users have reported being unable to sign in still, but I can't reproduce this

Expected behaviour

With password sign in unlocking allows password sign in to take place again.

Ideally we'd show instructions for resetting 2FA at some point.

Screenshots

TODO: Screenshots of the flow, or screencap.

Next steps

Investigate how SSO callback behaviour is different to SessionController when 2FA has been previously locked.

Investigate why users are triggering 2FA lock outs. Are users confused and entering the 2FA for their identity provider instead of for GitLab? Is something else triggering the lock out?