[T703] SSO via Keycloak (IdP + broker); SAML via Quarkus OIDC adapter

[Pratiyush]

Task: T703
Phase: 7
Scope: backend
Type: feat
Estimate: m

Summary

SSO via Keycloak (IdP + broker); SAML via Quarkus OIDC adapter

Acceptance

• Implementation complete per tasks.md row T703
• Unit + integration tests added/updated where applicable
• All CI checks green (backend, webapp, e2e, lint, link-checker, codeql)
• Pre-merge checklist in PR template fully ticked
• Commits GPG-signed by Pratiyush only (no AI co-author trailers)

References

• Tracker row: tasks.md → T703
• Steering: .kiro/steering/
• Phase plan: approved plan at ~/.claude/plans/glowing-rolling-pie.md

Docs

This ticket falls under CLAUDE.md rule #10 ("every ticket ships its docs"). Before the PR is mergeable, the author ticks each doc surface that applies and either updates the matching page or explicitly strikes a non-applicable surface through (~~...~~ with a one-line reason).

• Product (docs/product/) — walkthrough + light/dark screenshots if the change is user-visible
• Architecture (docs/architecture/ + a new docs/architecture/decisions/NNN-*.md ADR for any non-trivial technical decision)
• API (docs/api/ + regenerated docs/api/openapi.json) for new/changed endpoints, scopes, errors, rate-limits, or versioning rules
• Self-hosting (docs/self-hosting/) for env vars, compose services, Helm values, migrations, backups, or hardening
• LLM-ingestible — regenerate docs/llms.txt + docs/llms-full.txt

If none apply, say so explicitly in the PR body and the reviewer will verify before merge.