One of the selling points of SAML access for publishers is that when they detect unacceptable usage they can shut off access for the user in question rather than having to suspend it for your entire organisation.
They’ll know the user is one of yours, but not which one, and they may ask you to investigate the matter.
If this happens, what you’ll need the publisher to tell you is:
The targetedID of the user they received
An example of a date and time the user signed into the site (to the minute is OK)
Several examples of dates and times (to at least the second) and URLs where the user did the things
Once you have this information, log a ticket with your usual OpenAthens support provider in the first instance saying you need to identify a user who has misused a resource. We’ll be in touch when we have the information you need to continue your investigation.