Make GMA feature a group conversion feature

Problem to solve

Currently we allow the Group Managed Accounts (GMA) feature to be enabled and disabled on the SSO configuration page. But the ability to disable it complicates the feature and slows development because of questions like, "what should we do with X after GMA is turned off?"

Disabling GMA is not likely to happen. Also, keep in mind that GMA is basically a gitlab.com-only feature, because self-hosted instances can fully control their memberships without the GMA feature. Disabling (and enabling) GMA is less likely on self-hosted instances.

@jeremy said in another issue: "I don't anticipate that anyone's going to turn [GMA] off, [so] I don't think that's an option we should work to support. I think we should make this one-way to make iterating here simpler."

Proposal

Let's make the GMA feature a "one way" conversion where the user can't rollback through the UI. If rollback is demanded by a particular user we can do it manually via support engineers on a case-by-case basis.

Open questions

1. How do we refer to a converted group? I think "GMA group" will not work, so we need a shorter name which describes the purpose of this type of groups for business. E.g. SAMLGroup or SAMLWorkspace. Any input is appreciated.
2. How should the conversion look? Need UI/UX input.