The most likely thing to happen is that a non-admin user would be created with the username
system1 and the email address that was supplied in the SSO payload. There are two things that would prevent a user being created with the username
system. The first would be the presence of the
system user on your site - usernames must be unique on the site. The second thing that would prevent it is the Discourse Site Setting for
reserved usernames. By default that list includes the username
One thing to note with the
reserved usernames setting is that you can add a wildcard to the setting, for example
system*. If you do this, a user who tries to create an SSO account with the username
system will be given a random username like
25d831d5097a3e987bec when they login with SSO.
When users first login with SSO, authentication is based off the email address, not the username. The thing to be concerned about is making sure that users are not creating accounts with unauthenticated email addresses on your SSO provider site.