so we just updated our setup, and added another IdP to test this scenario.
The inbound SAML server rejected the authentication from the second IdP, because the email address had already been associated with an existing user.
See the following logs for reference:
2019-06-11 13:39:34,001 INFO [qtp804611486-14] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - An attempt to supply an email of an existing user was made. Turn on 'emailLinkingSafe' if you want to enable linking
2019-06-11 13:39:34,002 INFO [qtp804611486-14] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Passport. attemptAuthentication. Authentication attempt was rejected
This is at least a bit soothing for us, as this removes the the possibility of confused identities once an identity has been established with our system, but this does still impose the threat, that a user from a third party IdP might be quicker than the user from the actual IdP.
Is there any way to resolve this? Email suffix whitelists would probably be sufficient to get rid of this threat. E.g. add a whitelist entry for example.com to our trust relationship with IdP A to make sure that all the users with `@example.com` emails originate from their IdP. If another user attempts to authenticate from IdP B with such an email he would be rejected, because example.com is not whitelisted for his IdP.