What: Redirects locked users to the SSO page instead of generic sign
in when accessed via Group SAML.

This avoids a 500 error caused by attempting to access a missing
captcha_enabled? method that is not present in the
OmniauthCallbacksController, and instead displays an account locked
flash message.

Changes `locked_user_redirect` to display more accurate message
when a user's account is locked.

We also clear `session[otp_user_id]` to avoid future locked messages
from assuming we are still trying to log in the previous user.

Why: Users were getting a 500 error after incorrectly entering a 2FA
code many times.