[PM-1632] Redirect on SsoRequired - return SsoOrganizationIdentifier (#6597)

feat: add SSO request validation and organization identifier lookup

- Implement SsoRequestValidator to validate SSO requirements
- Add UserSsoOrganizationIdentifierQuery to fetch organization identifiers
- Create SsoOrganizationIdentifier custom response for SSO redirects
- Add feature flag (RedirectOnSsoRequired) for gradual rollout
- Register validators and queries in dependency injection
- Create RequestValidationConstants to reduce magic strings
- Add comprehensive test coverage for validation logic
- Update BaseRequestValidator to consume SsoRequestValidator

test/Identity.Test/AutoFixture/RequestValidationFixtures.cs

@@ -44,14 +44,17 @@ internal class CustomValidatorRequestContextCustomization : ICustomization
     /// <see cref="CustomValidatorRequestContext.TwoFactorRecoveryRequested"/>, and
     /// <see cref="CustomValidatorRequestContext.SsoRequired" /> should initialize false,
     /// and are made truthy in context upon evaluation of a request. Do not allow AutoFixture to eagerly make these
-    /// truthy; that is the responsibility of the <see cref="Bit.Identity.IdentityServer.RequestValidators.BaseRequestValidator{T}" />
+    /// truthy; that is the responsibility of the <see cref="Bit.Identity.IdentityServer.RequestValidators.BaseRequestValidator{T}" />.
+    /// ValidationErrorResult and CustomResponse should also be null initially; they are hydrated during the validation process.
     /// </summary>
     public void Customize(IFixture fixture)
     {
         fixture.Customize<CustomValidatorRequestContext>(composer => composer
             .With(o => o.RememberMeRequested, false)
             .With(o => o.TwoFactorRecoveryRequested, false)
-            .With(o => o.SsoRequired, false));
+            .With(o => o.SsoRequired, false)
+            .With(o => o.ValidationErrorResult, () => null)
+            .With(o => o.CustomResponse, () => null));
     }
 }