[PM-1632] Redirect on SsoRequired - return SsoOrganizationIdentifier (#6597)

feat: add SSO request validation and organization identifier lookup

- Implement SsoRequestValidator to validate SSO requirements
- Add UserSsoOrganizationIdentifierQuery to fetch organization identifiers
- Create SsoOrganizationIdentifier custom response for SSO redirects
- Add feature flag (RedirectOnSsoRequired) for gradual rollout
- Register validators and queries in dependency injection
- Create RequestValidationConstants to reduce magic strings
- Add comprehensive test coverage for validation logic
- Update BaseRequestValidator to consume SsoRequestValidator

src/Core/Auth/Sso/IUserSsoOrganizationIdentifierQuery.cs

@@ -0,0 +1,23 @@
+using Bit.Core.Entities;
+
+namespace Bit.Core.Auth.Sso;
+
+/// <summary>
+/// Query to retrieve the SSO organization identifier that a user is a confirmed member of.
+/// </summary>
+public interface IUserSsoOrganizationIdentifierQuery
+{
+    /// <summary>
+    /// Retrieves the SSO organization identifier for a confirmed organization user.
+    /// If there is more than one organization a User is associated with, we return null. If there are more than one
+    /// organization there is no way to know which organization the user wishes to authenticate with.
+    /// Owners and Admins who are not subject to the SSO required policy cannot utilize this flow, since they may have
+    /// multiple organizations with different SSO configurations.
+    /// </summary>
+    /// <param name="userId">The ID of the <see cref="User"/> to retrieve the SSO organization for. _Not_ an <see cref="OrganizationUser"/>.</param>
+    /// <returns>
+    /// The organization identifier if the user is a confirmed member of an organization with SSO configured,
+    /// otherwise null
+    /// </returns>
+    Task<string?> GetSsoOrganizationIdentifierAsync(Guid userId);
+}