When we built the SSO support, we made the assumption that all user management would happen on the IdP side. We've had a report of a user that wants to connect their IdP generally, but selectively mark users as active or not on the Review Board side. This change makes it so the SAML ACS and link-user views check the `is_active` flag. In the link-user flow, we rely on the authentication view/form to show the same error that someone would get if they were logging in with a username and password. In the ACS flow, we just redirect to a permission denied page. While writing tests for this, things were getting a little unwieldy, so I split up the SAML view tests into separate classes. Testing Done: - Set my user account to inactive and tried to log in with SAML. Saw that things worked as expected. - Ran unit tests.