Resolve "SSO enforcement should enforce on subgroups"

What does this MR do?

This MR enforces SSO on subgroups and on projects where the SSO enforcement is enabled on the root group.

When a logged out user navigates to a subgroup, the system redirects to the SSO login page. After successful login, the requested subgroup's show page is loaded. (works for projects as well)

Does this MR meet the acceptance criteria?

Conformity

• Changelog entry
• Code review guidelines
• Merge request performance guidelines
• Style guides
• Database guides
• Separation of EE specific content

Performance and testing

When accessing a subgroup, root ancestor (top group) needs to be also looked up in order to properly load up the "saml_provider" and check against the sso enforcement feature (ee/lib/gitlab/auth/group_saml/sso_enforcer.rb).

In this commit root_ancestor method is memoized in order to reduce the nr of queries.

Closes #12189 (closed)