At this time and as you mentioned the service does not support provisioning of users ahead of their first login for connections involving upstream identity providers.
The available workaround is if you can derive the permissions from the data returned by the identity provider or from an external call into your own system, you can configure a rule that performs the permission setup once per user in a dynamic way. This does come with its own considerations, but it’s what it is available at this time.