Allow new SSO logins in "deny" mode
The can_register check is actually only suitable for preventing new unverified registrations; in SSO mode, we normally trust the SSO provider have performed the checks and only gives us users we’re supposed to let in.
Ideally, this should be a separate set of settings to allow e.g. optionally requiring confirmation on SSO logins or to configure different levels of trust per SSO provider.