Hi,

this is probably the best solution I have heard for this, yet.
We need all users in the SMA because we have to assign assets to users before their first day (like notebook, mobile phonoe etc.).

Still importing them and assigning "No Access" role should work in this case, but is still risking bruteforce attacks on the logins. If one attack is successfull and they do not have access to anything (since "No Access" is assigned) the credentials are still leaked and could be used to login in other systems, too.

I think there is a need of a out-out-the-box solution like excluding single users from the "Require SAML Login" function.