It was pointed out by @davidillsley that we don't point this out
anywhere in our docs.

*: update grpc and correct protobuf generation

Turns out that manually setting PATH in the Makefile doesn't work
so we've been using the protobuf plugins installed on the host. Fix
this by specifying plugins by path.

connector/ldap: support the StartTLS flow for secure connections

When connecting to an LDAP server, there are three ways to connect:

1. Insecurely through port 389 (LDAP).
2. Securely through port 696 (LDAPS).
3. Insecurely through port 389 then negotiate TLS (StartTLS).

This PR adds support for the 3rd flow, letting dex connect to the
standard LDAP port then negotiating TLS through the LDAP protocol
itself.

See a writeup here:

http://www.openldap.org/faq/data/cache/185.html

server/rotation.go: avoid displaying the "keys already rotated" error

connector/ldap: fix case where groups are listed on the user entity

*: promote SAML to stable

This means we no longer refer to it as "experimental" and wont make
breaking changes.

connector/github: add support for github enterprise.

*: add GitLab connector to README

Support schemas that determine membership by having fields on the
user entity, instead of listing users on a groups entity. E.g. the
following schema is now supported when it wasn't previously:

    cn=eric,cn=user,dn=exapmle,dn=com
    objectClass=myPerson
    cn: eric
    uid: eric
    email: eric@example.com
    memberOf: foo
    memberOf: bar

    cn=foo,cn=group,dn=exapmle,dn=com
    objectClass=myGroup
    cn: foo

    cn=bar,cn=group,dn=exapmle,dn=com
    objectClass=myGroup
    cn: bar

connector/ldap: add LDAP integration tests

connector/saml: clean up SAML verification logic and comments

Fix entityIssuer -> ssoIssuer typo

Validate audience with entityIssuer if present, use redirectURI otherwise

Add ssoIssuer to fix Response issuer checking

Rename issuer to entityIssuer

connector/saml: fix validation bug with multiple Assertion elements

Introduces SAML tests which execute full response processing and
compare user attributes. tesdata now includes a full, self-signed
CA and documents signed using xmlsec1.

Adds deprication notices to existing tests, but don't remove them
since they still provide coverage.

When a SAML response provided multiple Assertion elements, only the
first one is checked for a valid signature. If the Assertion is
verified, the original Assertion is removed and the canonicalized
version is prepended to the Response. However, if there were
multiple assertions, the second assertion could end up first in the
list of Assertions, even if it was unsigned.

For example this:

    <Response>
      <!--
         Response unsigned. According to SAML spec must check
         assertion signature.
      -->
      <Assertion>
        <Signature>
          <!-- Correrctly signed assertion -->
        </Signature>
      </Assertion>

      <Assertion>
        <!-- Unsigned assertion inserted by attacker-->
      </Assertion>
    </Response>

could be verified then re-ordered to the following:

    <Response>
      <!--
         Response unsigned. According to SAML spec must check
         assertion signature.
      -->
      <Assertion>
        <!-- Unsigned assertion inserted by attacker-->
      </Assertion>

      <Assertion>
        <!-- Canonicalized, correrctly signed assertion -->
      </Assertion>
    </Response>

Fix this by removing all unverified child elements of the Response,
not just the original assertion.

server/server.go: make successful garbage collection log at info level

storage/static.go: correct the error message that gets displayed.

Documentation: document dex scopes, claims, and client features

server: use client connected to remove server for gRPC tests