When logging in through SSO, how do I check if a user is already enrolled before allowing them access again?
Using the Backend API, specifically Managing App Users and Sessions, you can identify a user's sessions. Each session object that is returned has a state associated. If the state is "ENROLLED" then you know that the user is already enrolled via a separate session.
If you want to limit users to a single session, you can also turn off the "Multiple devices/sessions per user" feature flag within the App Settings.