When a user authenticates through SAML for the first time and no matching user record exists in Metric Insights, the platform creates that record automatically. A new user created in this way is a Regular User and is automatically:
- Added to the Default Group, and
- Assigned an empty Favorite Folder named My Favorites.
This applies only to the initial creation of the user record. It does not apply to users provisioned through another method; e.g., LDAP or Active Directory sync. Those users keep the type, group membership, and defaults established by the sync process.
Key Variables
| Variable | Purpose | Default |
|---|---|---|
SAML_AUTOCREATE_USERS | Controls whether a user record is created automatically on first SAML login. If disabled, SAML login fails for any user that does not already exist in Metric Insights. | Enabled |
SAML_AUTOCREATE_USERTYPE | The user type assigned to auto-created users. | R |
SAML_AUTOCREATE_USERTYPE accepts three values:
R: Regular User (default)P: Power UserA: Admin
NOTE: If the identity provider passes a user type in the SAML assertion (via SAML_USER_TYPE_FIELD), that value takes precedence over SAML_AUTOCREATE_USERTYPE. If the assertion includes group information (via SAML_GROUP_FIELD), the user is placed into the matching MI groups instead of the Default Group.
Should You Enable Autocreate?
The correct choice of the setting for SAML_AUTOCREATE_USERS comes down to where access to Metric Insights is controlled: on the user/group provisioning side, or on the SSO side?
Option 1: Provision Users and Groups Before They Log In (Recommended)
If users and their group memberships are preloaded through LDAP/Active Directory sync, O365 sync, or SCIM, then Single Sign-on handles authentication only, and the directory sync controls who exists and what they can see.
In this model, leave SAML_AUTOCREATE_USERS disabled. Reasons:
- Predictable, correct access from the first login. Because the user and their groups already exist, the user lands with the right content access immediately.
- No conflicting or duplicate records. With autocreate enabled, a first-time login can create a user from the SAML assertion, and a subsequent directory sync then has to reconcile or may collide with that record. Disabling autocreate keeps the directory as the single source of truth.
- No incorrect access window. With autocreate enabled, a new user is placed into the Default Group until a sync reassigns them. Their group membership and attributes (name, email, type) are then overwritten by the directory on the next sync, so access can visibly change shortly after the first login.
The recommended best practice: disable SAML_AUTOCREATE_USERS when using LDAP (or any directory sync) for user/group provisioning.
Option 2: Provision Users Through the SSO Login (Just-in-Time)
If maintaining a separate sync is not required and users should instead be created on demand as they first log in, enable SAML_AUTOCREATE_USERS, but note the following trade-offs:
- Slower, weaker initial experience. A just-created user starts in the Default Group with an empty My Favorites folder. Until real group assignments and content access are applied, the first session can feel empty or restrictive.
- Group assignment depends on what the IdP sends. If the SAML assertion includes group claims (
SAML_GROUP_FIELD), Metric Insights can place users into the correct groups at login and re-evaluate that membership on every subsequent login (Just-in-Time group sync). Note that this placement takes time, particularly when a user belongs to many groups or those groups have access to different sets of content; so the first session may feel incomplete or restricted even when group claims are present. If the assertion includes no group claims, every new user defaults to the Default Group and an administrator has to sort out access afterward. - Access control moves to the Single Sign-on/IdP side. Group claims, attribute mapping, and de-provisioning all become the identity provider's responsibility rather than Metric Insights' sync.
Quick Guidance
| Provisioning Approach | SAML_AUTOCREATE_USERS |
|---|---|
| LDAP / Active Directory / O365 sync or SCIM preloads users and groups | Disabled |
| Users created on first SSO login, with group claims sent in the SAML assertion | Enabled |
| Users created on first SSO login, no group claims sent | Enabled, but expect Default-Group-only access until an admin
intervenes |
If the model that fits best is unclear, identify whether a directory sync is run, whether the IdP can send group claims, and where access control should be owned. That answer drives the setting.
For further configuration of defaults applied to new users (preferences, language, notification emails, user icon, and the initial Favorite Folder name), refer to Setting Defaults for New Users.