We are using WSO2 for authentication (SAML/SSO).

I don't know how to tell if a user is already logged in (in order to prevent concurrent logins). Other SO questions have indicated this is possible to know both with WSO2 IS Analytics and without. I would prefer to not have to run WSO2 IS Analytics as well (this is alluded to here, but never clarified. Further, I can see the IDN_AUTH_SESSION_STORE table being populated and referred to during login, but that is using SESSION_ID (which is passed by the commonAuth cookie).

So I'm looking for a direct answer to this question: during the Auth flow, how can we tell if the given user is already logged in?

Without using the analytics, querying logged in user sessions by a user is not supported out of the box in WSO2 Identity Server. Let me explain why.

When a user authenticates with the WSO2 Identity Server, a session is created. These sessions are stored as session context objects, against the commonAuthId cookie in WSO2 implementation. Information about the logged in user is inside these session objects. Therefore if we want to get the session for a particular user, we have to query all active sessions and go through all of them one by one matching the user.

As an alternative, you can write a custom data publisher module which persists session data against each user and then you can use these data to prevent concurrent logins. I have a blog post written for this exact use case.

Hope this helps.