Show SSO landing page instead of immediate redirect

The login page now shows the service name and a "Sign in with MCIAS"
button instead of immediately redirecting to MCIAS. This lets the user
know what service they are logging into before the redirect.

- GET /login renders the landing page with SSO button
- GET /sso/redirect initiates the actual SSO redirect
- Non-SSO login form still works when SSO is not configured

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/webserver/auth.go

@@ -133,8 +133,17 @@ func (s *Server) handleLoginSubmit(w http.ResponseWriter, r *http.Request) {
 	http.Redirect(w, r, "/", http.StatusSeeOther)
 }
 
-// handleSSOLogin redirects the user to MCIAS for SSO login.
+// handleSSOLogin renders a landing page with a "Sign in" button that
+// initiates the SSO redirect to MCIAS.
 func (s *Server) handleSSOLogin(w http.ResponseWriter, r *http.Request) {
+	s.templates.render(w, "login", map[string]any{
+		"SSO":     true,
+		"Session": false,
+	})
+}
+
+// handleSSORedirect initiates the SSO redirect to MCIAS.
+func (s *Server) handleSSORedirect(w http.ResponseWriter, r *http.Request) {
 	if err := mcdsso.RedirectToLogin(w, r, s.ssoClient, "mcr"); err != nil {
 		log.Printf("sso: redirect to login: %v", err)
 		http.Error(w, "internal error", http.StatusInternalServerError)