docs: document SSO auto-redirect, consent handling, and auto-signup

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/SERVER-CAPABILITIES.md

@@ -256,7 +256,11 @@ Server derives an Ed25519 keypair deterministically from the JWT secret. Public
 
 ### OIDC Integration
 
-Configured via admin API (`/api/v1/admin/oidc`). Supports any OpenID Connect provider. Features: role claim extraction (supports nested paths like `realm_access.roles`), auto-signup, configurable display name claim, constant-time token rotation via dual bootstrap tokens.
+Configured via admin API (`/api/v1/admin/oidc`). Supports any OpenID Connect provider. Features: role claim extraction (supports nested paths like `realm_access.roles`), auto-signup (auto-provisions new users on first OIDC login), configurable display name claim, constant-time token rotation via dual bootstrap tokens. Supports ES384 (Logto default), ES256, and RS256 for id_token validation.
+
+### SSO Auto-Redirect
+
+When OIDC is configured and enabled, the login page automatically redirects to the OIDC provider with `prompt=none` for silent SSO. If the user has an active provider session, they are signed in without seeing a login form. If `consent_required` is returned (first login, scopes not yet granted), the flow retries without `prompt=none` so the user can grant consent once. If `login_required` (no provider session), falls back to the login form. Bypass auto-redirect with `/login?local`.
 
 ### OIDC Resource Server