FEATURE: Add logout functionality to SSO Provider protocol (#8816)

This commit adds support for an optional "logout" parameter in the
payload of the /session/sso_provider endpoint.  If an SSO Consumer
adds a "logout=true" parameter to the encoded/signed "sso" payload,
then Discourse will treat the request as a logout request instead
of an authentication request.  The logout flow works something like
this:

 * User requests logout at SSO-Consumer site (e.g., clicks "Log me out!"
   on web browser).
 * SSO-Consumer site does whatever it does to destroy User's session on
   the SSO-Consumer site.
 * SSO-Consumer then redirects browser to the Discourse sso_provider
   endpoint, with a signed request bearing "logout=true" in addition
   to the usual nonce and the "return_sso_url".
 * Discourse destroys User's discourse session and redirects browser back
   to the "return_sso_url".
 * SSO-Consumer site does whatever it does --- notably, it cannot request
   SSO credentials from Discourse without the User being prompted to login
   again.

lib/single_sign_on.rb

@@ -16,6 +16,7 @@ class SingleSignOn
     groups
     locale
     locale_force_update
+    logout
     name
     nonce
     profile_background_url
@@ -34,6 +35,7 @@ class SingleSignOn
     admin
     avatar_force_update
     locale_force_update
+    logout
     moderator
     require_activation
     suppress_welcome_message