feat(IDP): use single callback endpoint (#8295)

# Which Problems Are Solved

Both the login UI and the IdP intent flow have their own IdP callback
endpoints.

This makes configuration hard to impossible (e.g. Github only allows one
endpoint) for customers.

# How the Problems Are Solved

- The login UI prefixes the `state` parameter when creating an auth /
SAML request.
- All requests now use the `/idp/callback` or the corresponding
variation (e.g. SAML)
- On callback, the state, resp. its prefix is checked. In case of the
login UI prefix, the request will be forwarded to the existing login UI
handler without the prefix state.
Existing setups will therefore not be affected and also requests started
before this release can be handled without any impact.
- Console only lists the "new" endpoint(s). Any
`/login/externalidp/callback` is removed.

# Additional Changes

- Cleaned up some images  from the IdP documentation.
- fix the error handling in `handleExternalNotFoundOptionCheck`

# Additional Context

- closes #8236

docs/docs/guides/integrate/identity-providers/azure-ad-saml.mdx

@@ -72,7 +72,7 @@ Now we configure the identity provider on ZITADEL.
 
 After you created the SAML provider in ZITADEL, you can copy the URLs you need to configure in your Entra ID application.
 
-![Azure SAML App URLs](/img/guides/zitadel_azure_saml_provider_urls.png)
+![Azure SAML App URLs](/img/guides/zitadel_saml_provider_urls.png)
 
 1. Go to Microsoft Entra > Manage > Single sign-on
 2. Edit the "Basic SAML Configuration"

docs/docs/guides/integrate/identity-providers/linkedin_oauth.mdx

@@ -1,6 +1,6 @@
 ---
 title: Configure LinkedIn as an OAuth Identity Provider in ZITADEL
-sidebar_label: LinkedIn generic OIDC
+sidebar_label: LinkedIn generic OAuth
 id: linkedin-oauth
 ---
 
@@ -23,8 +23,8 @@ import TestSetup from './_test_setup.mdx';
 2. Add your App Name, your Company Page and a Logo
 3. Add "Sign In with LinkedIn using OpenID Connect" by clicking "Request access"
 4. Go to the Auth Settings of the App and add the following URL to the "Authorized redirect URLs"
- - `{your_domain}/ui/login/login/externalidp/callback`
- - Example redirect url for the domain `https://acme.zitadel.cloud` would look like this:  `https://acme.zitadel.cloud/ui/login/login/externalidp/callback`
+ - `{your_domain}/idps/callback`
+ - Example redirect url for the domain `https://acme.zitadel.cloud` would look like this:  `https://acme.zitadel.cloud/idps/callback`
 5. Verify the app as your company
 6. In the Auth - OAuth 2.0 scopes section you should see `openid`, `profile` and `email` listed
 7. Save Client ID and Primary Client Secret from the Application credentials

docs/docs/guides/integrate/identity-providers/okta_saml.mdx

@@ -35,7 +35,7 @@ As an alternative you can add the SAML identity provider through the API, either
 
 After you created the SAML Provider in ZITADEL, you can copy the URLs you need to configure in your OKTA application.
 
-![OKTA SAML App URLs](/img/guides/zitadel_okta_saml_provider_urls.png)
+![OKTA SAML App URLs](/img/guides/zitadel_saml_provider_urls.png)
 
 ## OKTA Configuration