Add domain-scoped SSO user ID

Custom SSO user ID lookup should not be global, as IDs from different SSO providers may clash and end up updating the wrong user. Ideally, they should be restricted by the SSO provider, or at least by the domain.

Before #99 (closed), the SSO bumping issue may not have been as obvious as it is now, but bad actors can also change any user's profile by constructing custom SSO payloads with the victim's email, if someone hosted a public cloud service like Commento did.