Generate an authorization URL and state parameter for the specified SSO provider (SAML or OIDC), protected by PKCE and CSRF state, redirecting the user to the enterprise identity provider for authentication. References: SAML 2.0 Core §3.4, OpenID Connect Core 1.0 §3, RFC 7636 (PKCE).