Hi!
I am running into an issue where I want the ability to turn off JIT provisioning in auth0 for SSO enterprise connections. I am able to turn auto membership off, which solves this problem for me.
However, for this to work, I need to pre-add the users to the connection and the organization so that they can be authenticated. I am not able to add users to the SSO connections, I get the error:
Connection does not support user creation through the API. It must either be a database or passwordless connection.
Reading through your use-case, this error message would be expected, as you can only create users in Auth0 Databases or, indeed, in Passwordless Connections via the Management API using either connection=email or connection=sms.
I believe we need to establish who do you want to control those users, an external IdP or Auth0 ( SP in this case). With JIT provisioning out of the way, I believe there are 2 approaches you can take :
Auth0 controls the users:
You will need to set up a Database Connection where you can create the users, which you can then enable for the Organization. This way, the source of truth for the users will be Auth0 and you have full control over the users’ identities, but they will be in a separate Database, which will not be tied to the Enterprise Connection.
External IdP controls the users:
If you trust the external IdP to handle your users, but you want JIT to be turned off, you can set up SCIM provisioning for your Enterprise Connection. Once setup and working, the users will be added in Auth0 without them needing to first login as with JIT provisioning. This might be a good fit for you if you have control over the IdP, as any change made to the users on the IdP side would be synced immediately in Auth0 as well.
I believe SCIM might be the answer in this case, but let me know if you have other question on this.