Allow new SSO logins in "deny" mode

The can_register check is actually only suitable for preventing new
unverified registrations; in SSO mode, we normally trust the SSO
provider have performed the checks and only gives us users we’re
supposed to let in.

Ideally, this should be a separate set of settings to allow e.g.
optionally requiring confirmation on SSO logins or to configure
different levels of trust per SSO provider.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>