I think you may be missing what ROLE actually is and how it can help
Roles are defined for users as you send them a notification. it doesn’t matter if that user holds a perfectforms account or not, when you set up the notification to them, you can define the role that they are to be assigned.
You can then control the rights to the form objects based on that role for each stage of the form.
If some other person is then accessing the form they will not have a role (where you see it as ‘unspecified’) and you can then control their rights to the form by using the ALL role. Look at the ALL role as being ‘anyone else that may get to the form that we have not notified specifically’.
Whether you use the SSO gateway or not, you can control what a person can see and do on the form based on the ROLE assigned with the ALL role being the ‘anyone else’. You don’t even need to do anything on the form to present the ‘role’ to a field (although you may do that initially in testing).
if you do then want to change a users role, when the next submit is actioned, set up another notification to them (doesn’t need to send them an email or present to the dashboard) defining that new Role and as that user then accesses the form in the future they will be prompted to select which role they wish to log into the form with. Personally I would see that being used very sparingly and only to users that are fully aware of what this means as it will be very easy for someone to not understand what they are being asked and then log in as the wrong role and be onto you when they then can’t get to do the work they expect