I’m not sure why you are making the requests to /users/by-external/<external_id>.json and /admin/users/sync_sso. The normal flow would be to just redirect the user to /session/sso_login with the SSO payload set as query parameters on the URL. There are details about what the sync_sso route is used for here: Sync DiscourseConnect user data with the sync_sso route.
Making a request to /users/by-external/<external_id> with an external_id that is not yet associated with a Discourse users should return a 404 (not found) error. If the external_id is associated with a Discourse user, the user should be returned.