Allow user role to be set at creation for JIT user provisioning

[zhumo]

Problem

When different groups start using Fleet, a fleet administrator might use just-in-time user provisioning to remove the need to manually create accounts. Currently, by default, all JIT users are observers. However, frequently, members of different groups in the administrator's organization might require different permission levels. In this situation, the fleet administrator will need to change that user's permission directly or create and maintain an automation, defeating the purpose of JIT user provisioning.

Business case

Reduces the friction and hesitancy to setting up fleet for diverse groups around the user's organization.

Measurement

• % of users Fleet instances which have submitted a JIT user with a specified role in the past t period.

Requirements

• When the JIT user role is created, allow for the fleet admin to specify one of the roles by passing in a certain attribute via SSO custom attributes.
• Name of the attribute: "FLEET_JIT_USER_ROLE". But feel free to propose another attribute name that makes more sense.
• Allow the user to specify user permission for a certain team.
• Each role that exists (currently observer, maintainer, admin) has an integer assigned to it. Feel free to propose another role id scheme.
• Support the unbundled roles as well as described in Add two new roles for premium users #8593
• If not provided, set observer as default.
• documentation Make sure the roles and their mapping is well-documented. Make sure people understand (generally) how to set it up in their SSO provider (setting custom attributes). Maybe also include example XML.

[zayhanlon]

@lucasmrod to estimate - will pick this up next estimation call.

[erikng]

@noahtalerman where is the saml library you all use?