...
Addresses: Deployment Issue 10; saml2int section: 5, 9.1
Provisioning and Authorization of SAML-only Users (speculative) - NOT ADDED TO SAML2INT YET
Applications that creates new user profile when new a SubjectID is received ("Just In Time", or "On the Fly" provisioning) SHOULD also rely on a separate attribute's value(s) to trigger provisioning of user access. Conversely, absence of that separate attribute, or specific values thereof, should cause user deprovisioning (or deauthorization) to occur.
...