docs: add enterprise identity adapter guide

[benpsnyder]

Summary

• Adds an enterprise identity adapters guide under Authentication.
• Explains where SpacetimeAuth fits relative to app-owned auth, third-party OIDC, SAML/OIDC enterprise SSO, SCIM, directory sync, and WorkOS-style hosted identity services.
• Documents the recommended boundary: keep provider-specific identity complexity in the application layer, then pass SpacetimeDB a verifiable token and module-local authorization state.
• Calls out token claim shape, reducer checks, sensitive data boundaries, and issuer/subject identity continuity during provider migrations.
• Links the new guide from the authentication overview.

Why

This is a focused documentation slice from #5004. It clarifies that SpacetimeAuth remains the easiest SpacetimeDB-native OIDC path, while enterprise SaaS applications may need a broader app-owned identity plane for customer-managed SSO, SCIM, API keys, tenant admins, and hosted identity adapters.

The guide keeps SpacetimeDB provider-neutral: Microsoft Entra ID, Google Workspace, Okta, Keycloak, Auth0, WorkOS-style services, custom SAML/OIDC adapters, and SpacetimeAuth should all normalize to stable issuer, subject, audience, actor, tenant, and authorization state before reducers trust the actor.

Validation

• git diff --check
• pnpm --dir docs typecheck
• pnpm --dir docs build

The docs build passes. It still prints the existing docusaurus-plugin-llms-txt warning for /docs/ask-ai/ask-ai, which is unrelated to this change.

Refs #5004

[cloutiertyler]

Hi @benpsnyder, thanks for your contribution to the docs. We don't accept draft PRs in our repo to keep our PRs relatively neat and manageable, so I'm going to close this for now, at least until you have a complete PR for us to review.