What happens when your application quietly creates a local account every time someone logs in with Single Sign-On (SSO)?

PureCyber found a subtle but dangerous logical flaw that unwittingly turns legitimate SSO users into permanent insiders.