fix: SAML and OIDC issuer (in proxied use cases) (#9638)

# Which Problems Are Solved

When using implicit flow through the session API and a login UI on a
custom domain (proxy), the tokens were signed by the API domain of the
instance, rather than the public (proxy) domain.
The SAML response had the same issue. Additionally, the saml library had
an issue and lost the issuer context. This prevented also a successful
login through the hosted login UI.

# How the Problems Are Solved

- The issuer of the SAML and Auth request is persisted to provide the
information when signing the responses and tokens.
- The SAML library is updated to the latest version.

# Additional Changes

None

# Additional Context

None

internal/command/saml_request_model.go

@@ -15,14 +15,15 @@ type SAMLRequestWriteModel struct {
 	eventstore.WriteModel
 	aggregate *eventstore.Aggregate
 
-	LoginClient   string
-	ApplicationID string
-	ACSURL        string
-	RelayState    string
-	RequestID     string
-	Binding       string
-	Issuer        string
-	Destination   string
+	LoginClient    string
+	ApplicationID  string
+	ACSURL         string
+	RelayState     string
+	RequestID      string
+	Binding        string
+	Issuer         string
+	Destination    string
+	ResponseIssuer string
 
 	SessionID        string
 	UserID           string
@@ -52,6 +53,7 @@ func (m *SAMLRequestWriteModel) Reduce() error {
 			m.Binding = e.Binding
 			m.Issuer = e.Issuer
 			m.Destination = e.Destination
+			m.ResponseIssuer = e.ResponseIssuer
 			m.SAMLRequestState = domain.SAMLRequestStateAdded
 		case *samlrequest.SessionLinkedEvent:
 			m.SessionID = e.SessionID