consider the following JAAS setup:
- sufficient SSO Login Module
- optional Default Login Module
- sufficient External Login Module
This causes each login() to reach the external login module (which is desired) but causes an IDP lookup for each login, even if the user is already synced with the repository.
ideally the login module could pass the ExternalIdentityRef to the sync handler and to a tentative sync. the lastSyncTime should be respected in this case.