The loginlink option for SAML not working as expected

Ok this is what I've found regarding the 'Allow users to link their own account' option in SAML

One can only link their account if they are already logged in locally to Mahara, and THEN try and log in via SAML and have that login fail then we offer to link the SAML attempt -> local one

Which seems very bad having a failure allowed to login

Which seems to also contradict the manual, which says "Allow users to link own account: Switch to “Yes” if you want to allow users to link their own internal Mahara account to the authenticated SAML account."

On success login via SAML we never reach the loginlink code as we are redirected away.

This is in auth/saml/index.php
See https://reviews.mahara.org/#/c/483/7

What needs to happen is have the auth/saml/lib.php file request_user_authorise() function (actually could be for all auth methods) to check for the 'loginlink' config attribute and if on then we could have a $user->find_by_email() option which checks if the email exists and is only used for 1 user and if so join the account with that user

The manual also mentions "match their username as well as the email for example match an internal username, they can link their accounts" but the problem is we can't always control what username is sent from IdP/LTI integration so it would be better to just match on the email address as that seems to be the only reliable constant when using different auth methods in a parent/child relationship.