when loggedInEmail is non-null but doesn't match what the identity module believes it should be. And then when the new identity can't be provisioned.
What do you mean by "And then when the new identity can't be provisioned?"
say you're supposed to be logged into shoes.com with email@example.com, where idp.com is a proper IdP. But say your cert for idp has expired and your session has too. Then there's no way to silently provision you, so now what?