Single Sign On - Auto Provisioning Pros and Cons

I used to do auto-provisioning until I discovered it was a LOT easier to duplicate an account and change the name and email than to set it up from an auto-provisioned account. Now We just find an existing user that's similar to the new user and duplicate the account so the exsisting setting match fairly closely. Saves a lot of time and mistakes.

TIP: if this solved your problem, I invite you to consider marking it as a Correct Answer to help others who might also find it of use.

I definitely recommend autoprovisioning if you have any request queues that are open to anyone in your company and if someone submits a request that hasn’t before, they are automatically created as a requester license. It saves a ton of time. I’m not a fan of requester licenses so each month I had a WF report I had on auto send to myself if anyone in last month created from this and I’d bulk edit their license to be reviewer.

If we had a new hire in the org/department I managed, I created them myself with other settings. The provisioning was great for ppl not in my org but needed to submit a request and become users from that point on.

That was one of the first things I tackled when I took over our instance. I'm the only admin and sorely needed that off my plate. It wasn't too hard to work with our SSO team to figure out the necessary mappings for a request license. It was such a huge relief, no more checking in while I was out of the office. Now, anyone from our company can at least log in and make a request. I still get reports to alert me when someone only has a request license, so I get a chance to see the new users. I'll switch them to a more user friendly layout template and change them to a reviewer, but having their basic user set-up has been so helpful. I can still manually create users, but our federation IDs don't follow a standard format, so I have to have access to other systems to look that up - it's much easier if they just log in, then I can fix their user ID later. The one con for me is when a current user has a name change. They'll get a new auto-provisioned account and wonder where their stuff went. That causes a bit of work to deactivate their new user ID and edit their existing one, but that doesn't happen very often for us. All in all, it was well worth it for us.

Auto-provisioning by itself is a little bit crude. As mentioned, in many ways, it's easier to clone existing users instead of having to manually alter newly created users.

That said, if you're using Fusion, auto-provisioning can help a LOT. We have Fusion apply a basic user's necessary license/group/company/custom form/etc. upon autoprovisioning. That way, the beginning of the work has been completed.

You can also create a "clone request" for new users, where you can take a newly autoprovisioned user and have another user's attributes applied to the new user. 

Plus, if you want to do a bulk import of new users, you can take Workfront's basic user import form and make it actually more fully functional. Again, that tool is rather blunt without Fusion assistance. 

Having had to create users "by hand" in my last position, auto-provisioning (with Fusion) has saved my sanity. 

I wanted to add one point to the discussion about SSO, from what I've experienced it seems like accounts created via SSO are automatically added to whatever group is alphabetically first in your groups list. It's a little crazy that you don't see to be able to specify this in the SSO setup (if I missed this, please let me know!). It sounds like most people make a group that will always appear first, like '! All requestors' or something like that. We didn't realize this until it was too late and had hundreds of users automatically added to the wrong group.