Group SAML metadata endpoint potentially reveals private groups

What

Disable Group SAML metadata endpoint /auth/users/group_saml/metadata?group_path=my-group

Why

This potentially exposes private groups, and so should be disabled before we take Group level SAML out of beta.

Ideally we'd re-enable it in a way which couldn't be used to determine if a given group exists, such as requiring a token verification