Using SSO through an IdP currently links an access token to the Smartsheet account. When this account gets removed or deactivated (in Smartsheet) it retains this access token. If a new account is created, or the user changes email and a new account is auto provisioned, then the authentication tries to sign the user in to the old account.
It would be helpful if the access token is removed from an account when it is deactivated or removed. That way if the account is reactivated, or the user is setup with a new account (different email) then they'll generate a new token and be able to login without any hassle.
The work around currently of having two accounts active, then performing a merge, is a bit of a hassle, especially if one account was deactivated and has gone past the 7 day expiry for reactivation.