We are managing user permissions by management API. But for a case when user has not logged in yet it’s impossible. Is there a way to emulate user login using management API to force user creation in enterprise connection?

Problem is that enterprise connections doesn’t support create user functionality. Also it’s not possible to log in by API because there is no password in that type of connections.

At this time and as you mentioned the service does not support provisioning of users ahead of their first login for connections involving upstream identity providers.

The available workaround is if you can derive the permissions from the data returned by the identity provider or from an external call into your own system, you can configure a rule that performs the permission setup once per user in a dynamic way. This does come with its own considerations, but it’s what it is available at this time.