feat(saml): allow disabling RequestedAuthnContext via env var

Adds SAML_DISABLE_REQUESTED_AUTHN_CONTEXT env var, passed through
    to the SAML strategy's disableRequestedAuthnContext option.
    Defaults to existing behavior (element sent). Set to true to omit
    the element when the IdP authenticates the user with a method that
    does not match (e.g. MFA, FIDO, passwordless), which would
    otherwise cause AADSTS75011 with Microsoft Entra ID.

apps/server/src/ee

@@ -1 +1 @@
-Subproject commit 4101fc427b785e2711c0f608c377d641a2e4be78
+Subproject commit fabe2729879e0543518f0c42bfdb3b403afe3c4a

apps/server/src/integrations/environment/environment.service.ts

@@ -304,4 +304,11 @@ export class EnvironmentService {
   getClickHouseUrl(): string {
     return this.configService.get<string>('CLICKHOUSE_URL');
   }
+
+  getSamlDisableRequestedAuthnContext(): boolean {
+    const disabled = this.configService
+      .get<string>('SAML_DISABLE_REQUESTED_AUTHN_CONTEXT', 'false')
+      .toLowerCase();
+    return disabled === 'true';
+  }
 }