Currently Discourse SSO is the SSO provider – I guess the (new) consideration would be to have Instance 1 as the SSO provider (for both Instance 1 and 2).
Essentially, keep the same SSO setup that we have now but add another Discourse instance and still have some way to limit access between instance 1 and instance 2.