Just to update the thread in case anyone else is interested in a similar solution, what I ended up doing was:
0. use my SSO system to auth
1. use Moodle webservices to check whether a user with the same email as in the SSO system already exists and if not, create a proper user entry in Moodle's own DB
2. redirect to a custom page I created on the moodle end passing along a nonce param
3. on the custom page, the HTTP_REFERER is checked to verify it matches the SSO system and if not, die() is called
4. the nonce is checked to ensure its valid and die() is called is not
5.
// Prohibit login if email belongs to the prohibited domain.
if ($err = email_is_not_allowed($useremail)) {
throw new moodle_exception($err, 'auth_kaltura_sso');
}
$user = $DB->get_record('user',array('email' => $useremail, 'deleted' => 0, 'mnethostid' => $CFG->mnet_localhost_id));
complete_user_login($user);
// redirect to moodle's index page with:
header('location: https://my.moodle.index');