I can't see the rest of your code, but maybe this will help:
When the plugin fires, $modx->user will be the (anonymous) user, so you never want to use $modx->user as a variable in your code (except maybe to set it).
It's definitely not safe to authenticate anyone who has a non-empty username.
so remove that code.
I think what you want to do is:
1. Authenticate the user with your SAML code based on their submitted username and password.
2. If they fail, return false.
2. If they pass, see if they're already in the database. If they are, return true.
3. If they're not in the database, put them there and then return true.