It seems (from our experience and one other poster in the above thread) that the behaviour when Discourse isn’t passed a full name by SSO (which is an optional field) is that it populates that field with the email address.
This seems like a bug (it should probably be left blank, or if it’s required by the settings then populated with username).
The only way to have an entire email address on the name would be a improperly configured SSO passsing the email on the username field, since User.suggest_name will remove everything after the @.
It doesn’t literally use the entire email, yes, but it does populate something potentially public with information from something that’s definitely non-public, which turns into a privacy diaster any time there’s a failure to check whether full names are supposed to be enabled/exposed.
IMO, even though I dislike this behavior, I’d suggest that simply warning about this in the SSO documentation could be more than enough of a “fix”. (Where it states that a field is optional, clarify that it doesn’t mean that the field in the database is left blank/null, but is instead populated in this way.)