Powered by a slightly-modified wpDirAuth plugin, users with Campus IDs can log in using the SSO credentials.
This plugin uses regular WP profiles, but has an added user_meta 'wpDirAuthFlag' = 1 entry to instead authenticate against LDAP (auth.gsu.edu).
Modified the plugin to prevent new users from being created when someone from campus (but not CoL - our LDAP is "flat" - no CoL subtree), trys to log in. I instead send them to /user-not-found/ - The mod is just before the wp_create_user call, but needs to be re-written as a filter that more gracefully "fails" the log in attempt. For now, the failed logins are stored with "notcol" prefixed onto the username used to log in. This allows us to see these attempts in the admin panel (Users / Login Log).