Would need to see your actual form you are ‘testing’ with to see why you are not seeing the expected result when the SSO gateway is enabled. the ‘user-domain username’ only populates when a known perfectforms user accesses the form, otherwise the Gateway – http user’ populates. please send that over to us at firstname.lastname@example.org and we can have a look to see what is going on to see if it is your form, or tif it is how your SSO is implemented
have to say though, that if you are looking to cover a possible scenarion where an email notification is forwarded to an unauthorised user, you also have to consider that this PF user could just as easily tell an unauthorised user their log in credentials to the perfectforms application as well. Even if you were to restrict your forms so that only perfectforms users could access it (ie removing the WORLD permission) which is what a number of other users do where they have a requirement for higher levels of security) then someone could still do that.
perhaps a different way to approach this is to simply identify WHO (not role, but person) is accessing the form from the above properties and store this in hidden fields that the users can’t see, and then either refer to the ‘data history’ aspect where all this information is stored for audit purposes, or set up a report where you are able to see who accessed the form and then you/your managers can discuss any such breaches with the appropriate staff