My company runs a saas product; as we move into enterprise customers, we're getting more and more requests for SSO.
I understand the SAML workflow for authentication, and roughly how we'd implement it. I also get that we could allow companies to create new users via SAML, i.e. a user which is authenticated by the identity provider can be created when they hit our system.
There's a few aspects of this that my google-fu is defeating me on.
1) How do I get necessary metadata in the new-user flow? E.g. to get a user up and running in our system, we need to know what team they're on, a specific third party id, and a couple of other things. Presumably this same workflow can take care of edits to users, e.g. "this user has moved to new team Y" is handled just by team_id being changed on an authenticated request from the identity provider.
2) How do I deal with deactivation? We sell our customers N seats at a time; it's unsatisfactory to say "if I haven't seen a user in Y weeks then consider them deactivated".
3) Some of our existing customers use Azure, Ping, Okta to manage their users (and want to continue doing so). All of them can talk SAML, so for authentication we're good if we implement SAML auth. However, how would they set up their systems to require those specific fields to be supplied?
4) Finally (maybe covered already by answers to above) what's the incentive for me, an application provider, to sign up with Okta, Ping, etc?
Thanks
