I’ve managed to successfully link accounts using a rule. However the response from the SAML provider contains sensitive information which I do not wish to store in the linked identities. It seems that the command delete user.sensitive_field does not remove the attribute before it is converted into the identities array.
Is the field you are updating a metadata field? If this is the case, you need to update the stored user, not just the user object in rules. Changing the user in rules doesn’t have an effect on the actual stored user profile.