I disagree. The quasi-standard REMOTE_USER which is supported by a lot of applications identifies a login. Don't think of it to be something like the username inside a team: think of it as something equal to email+password. Just do not ask for username+password any more when REMOTE_USER is set.
username and REMOTE_USER could be different.