feat: add saml model & controller [CW-2958] (#12289)

This PR adds the foundation for account-level SAML SSO configuration in
Chatwoot Enterprise. It introduces a new `AccountSamlSettings` model and
management API that allows accounts to configure their own SAML identity
providers independently, this also includes the certificate generation
flow

The implementation includes a new controller
(`Api::V1::Accounts::SamlSettingsController`) that provides CRUD
operations for SAML configuration

The feature is properly gated behind the 'saml' feature flag and
includes administrator-only authorization via Pundit policies.

enterprise/app/controllers/api/v1/accounts/saml_settings_controller.rb

@@ -0,0 +1,48 @@
+class Api::V1::Accounts::SamlSettingsController < Api::V1::Accounts::BaseController
+  before_action :check_saml_feature_enabled
+  before_action :check_authorization
+  before_action :set_saml_settings
+
+  def show; end
+
+  def create
+    @saml_settings = Current.account.build_saml_settings(saml_settings_params)
+    @saml_settings.save!
+  end
+
+  def update
+    @saml_settings.update!(saml_settings_params)
+  end
+
+  def destroy
+    @saml_settings.destroy!
+    head :no_content
+  end
+
+  private
+
+  def set_saml_settings
+    @saml_settings = Current.account.saml_settings ||
+                     Current.account.build_saml_settings
+  end
+
+  def saml_settings_params
+    params.require(:saml_settings).permit(
+      :sso_url,
+      :certificate,
+      :idp_entity_id,
+      :sp_entity_id,
+      role_mappings: {}
+    )
+  end
+
+  def check_authorization
+    authorize(AccountSamlSettings)
+  end
+
+  def check_saml_feature_enabled
+    return if Current.account.feature_enabled?('saml')
+
+    render json: { error: I18n.t('errors.saml.feature_not_enabled') }, status: :forbidden
+  end
+end