Hi @mrbaz, thanks for the feedback.
I'm not sure why it's an issue for you that the user account is automatically created in XO.
literally anyone who properly authenticates will be able to log in to XO
Isn't it the point? You seem to be raising a security issue here, but I'm not sure what it is. Could you clarify it?
For SSO and ease of setting up clients, no. Other applications I have running SSO offer me the option to enable or disable automatic user generation. Just because a user can authenticate, doesn't mean they have authorization. By only allowing automatic user generation, you break the AA scope. This means in order to safely configure the application, I have to bring additional configuration complexity to the identity management provider than necessary.
If XO had a way of pulling the user's group information and only allowing those in a certain group to have authorization to XO to have their accounts automatically generated, that would work too. Otherwise, I just do all the work on the IDP backend.
TL;DR - I can set this up securely by just adding more configuration to the IDP, but I have other hosted applications that give me the simplicity of allowing automatic user generation or not, and allowing me to manually setup user accounts on the application before their first login. What I'm asking is for more flexible options.
Security issues aside, the issue still stands that I can't put a user into a group or assign ACLs until after they have signed in for the first time. That means if I have 10 users that all sign in at 10 different times, I have to waste my time going back each time after the user has let me know they logged in and can't see anything sine they don't have any permissions.