Support full certificate or SHA256 for SAML

Problem

Currently, Group SAML only accepts SHA1 fingerprints for verifying SAML response signatures. However, the underlying library supports both full certificates and SHA256 fingerprints. Self-managed instances already have access to these features, but they are not yet implemented for Group SAML.

Proposed Solution

Update the Group SAML implementation to:

1. Support full certificates for signature verification
2. Support SHA256 fingerprints
3. Officially deprecate SHA1, but if configured, it will continue to work.

Implementation Details

Self-managed instances can already configure these options using:

idp_cert: "--full certificate--", # preferred method
# or
idp_cert_fingerprint: "<certificate fingerprint>",
idp_cert_fingerprint_algorithm: "http://www.w3.org/2001/04/xmlenc#sha256",

We should extend similar functionality to Group SAML by:

• Adding the necessary database fields to store the full certificate and fingerprint algorithm
• Updating the Group SAML settings UI to allow configuration of these options
• Modifying the SAML authentication flow to use these settings when available