fix: add OKTA and KEYCLOAK to tenant seeding allowlist

[QuinnClaw]

Summary

Fixes #6246

OKTA and KEYCLOAK auth types were missing from the tenant seeding allowlist in on_starting() (keep/api/config.py), causing the tenant table to remain empty on fresh database deployments. Users experienced an infinite redirect loop between /signin and /incidents after successful SSO login because no tenant row existed.

Changes

• Added IdentityManagerTypes.KEYCLOAK.value and IdentityManagerTypes.OKTA.value to the auth type allowlist that gates try_create_single_tenant()
• Added both types to excluded_from_default_user since users authenticate through the external IdP (consistent with OAUTH2PROXY and ONELOGIN behavior)

Root Cause

The allowlist in on_starting() only included DB, NOAUTH, OAUTH2PROXY, and ONELOGIN. OKTA and KEYCLOAK were missing despite being valid single-tenant auth types in the IdentityManagerTypes enum.

Testing

• Verified the IdentityManagerTypes enum includes both KEYCLOAK and OKTA
• The change is additive — no existing behavior is modified for other auth types

---

Note

Low Risk
Low risk, additive change to startup tenant seeding logic; main impact is ensuring fresh deployments using Okta/Keycloak create the expected tenant row and avoid redirect loops.

Overview
Ensures single-tenant seeding runs when AUTH_TYPE is keycloak or okta by adding both to the allowlist gating try_create_single_tenant().

Also excludes these auth types from default-user creation (matching oauth2proxy/onelogin behavior) since users authenticate via the external IdP.

^{Reviewed by Cursor Bugbot for commit 6eec7d7. Bugbot is set up for automated code reviews on this repo. Configure here.}

[QuinnClaw]

I have read the CLA Document and I hereby sign the CLA

[CLAassistant]

All committers have signed the CLA.

[ahbeigi]

Thanks for contributing @QuinnClaw . this PR seems to be a duplication of #6247.