Separate SCIM Identities from SAML

Outcome of discussion/decision in #207553 (closed)

• Create a new scim_identities model to store SCIM identities. This will look very similar to identities but won't have secondary_extern_uid and will add an active boolean. This will give us more flexibility in the future if we need to store additional details from SCIM.
• To migrate existing SAML + SCIM combined identity to separate identities, create a SCIM identity only when there is a SAML identity and a SCIM token has been generated for the group.
• Deprovisioning will work by:
  • Setting the active attribute to false for the scim_identity
  • Not removing any identities (SAML or SCIM)
  • Removing the member from the group
• SCIM provisioning will work the same way it does now, which I don't yet fully understand. But there are some safeguards to prevent account takeover of random accounts that are otherwise not associated with an organization.

These things we probably want, but they can likely come later. We can create new issues for those as a follow-up

• SAML will not be allowed to re-add a member when the SCIM identity is not active. But it will if active is true or if the identity doesn't exist. - #214698
• Group maintainers/owners will not be able to add a member manually when a SCIM identity exists and is not active. - #214699
• Preferably we should create audit events for provisioning and deprovisioning members via SCIM to avoid surprise. - #214701