As you have stated, without checking if the user got redirected to the /authorize endpoint or redirected for login whenever they access the page, you cannot detect if they login via SSO or if they just have a persisting session from a previous SSO/login.
My best advise would be to treat any logins that are not made through a redirect or calls made via the getAccessToken() function as SSO, even though this might not be ideal due to the fact that they might just have a persisting session as stated above.
If you have any other questions, feel free to leave a reply or post again on the community!