User is able to log into CloudHealth via SSO without claiming the new domain. 

CloudHealth has implemented the following logic when claiming domains: 

When the IDP assertion comes in, 
>  CloudHealth will first check the domain of the user's email, and if that domain matches a claimed domain in any 1 tenant, we will put the user in that tenant
> If the domain has no matches in any tenant, then Cloudhealth will check the idp_id of the incoming assertion, and if that matches an idp_id in any 1 tenant, CloudHealth will put the user in that tenant.