When we built the SSO support, we made the assumption that all user
management would happen on the IdP side. We've had a report of a user
that wants to connect their IdP generally, but selectively mark users as
active or not on the Review Board side.

This change makes it so the SAML ACS and link-user views check the
`is_active` flag. In the link-user flow, we rely on the authentication
view/form to show the same error that someone would get if they were
logging in with a username and password. In the ACS flow, we just
redirect to a permission denied page.

While writing tests for this, things were getting a little unwieldy, so
I split up the SAML view tests into separate classes.

Testing Done:
- Set my user account to inactive and tried to log in with SAML. Saw
  that things worked as expected.
- Ran unit tests.

Reviewed at https://reviews.reviewboard.org/r/14331/