@simon Thank you so much for clarifying my confusion! 
Thankfully, it sounds like that would work with our setup.
Is it dangerous to enable email address overrides if the email addresses are not validated by our authentication server? Would that incur the issue mentioned here:
I don’t know much about how the Discourse SSO integration works, but I wonder whether if there are problems beyond password reset issues if someone supplies an invalid email address to the site, either when first creating an account via SSO or later on.
Either way, it seems like validating email addresses upon first login and not overriding email addresses from the SSO server would be a safe way to go.
Thanks so much for your clarification.