This change adds SAML 2.0 support for single-sign-on authentication. It

includes a few major pieces:

Infrastructure for SSO backends including registry, configuration

  machinery, and URL registration.
Updates to settings forms to allow me to toggle some subforms based on

  a checkbox enabler rather than via drop-downs.
SAML 2.0 backend which includes configuration, login/logout, and user

  provisioning.

The vast majority of the settings available are specific to SAML,

including the various URLs and method settings. Because of some user

feedback we've already recieved, I've added a toggle to control the

behavior of user provisioning. In most cases, the person using this has

absolute trust in the integrity and correctness of their IdP, but in

some cases that may not be true. If the "username" parameter can not

necessarily be trusted, there's an option to force existing users to log

in with their Review Board password at least once.

Testing was done with a test application on onelogin.com with the

relevant configuration to authenticate to my server on localhost.

Logged in with existing user that had a username match.
Logged in with user that had an email match and saw correct detection

  of the existing user.
Logged in with a user that had no existing match and saw provision

  screen. Proceeded and was logged in with a new user with correct

  name/email/etc.
Tested behavior of "require login" toggle.
Logged out from onelogin portal and saw GET request to the SLS

  endpoint which flushed the session and then redirected back to the

  onelogin login page.
Tested authentication configuration page, enabling/disabling settings,

  and making changes to settings. Tested behavior when the

python3-saml package wasn't installed.
Tested text of button on login page, and that it redirected to the SSO

  login flow.
Ran unit tests.