Hi Bront,

As you've found, when a user successfully authenticates using an external authentication provider (which includes LDAP and any of the Single Sign On providers), the server creates a new user account if one doesn't already exist for that user. A successful authentication doesn't grant any special permissions; that user receives only the permissions assigned to the Site Users group. Our general recommendation is to limit the permissions you assign Site Users.

At the moment, there's no way to turn off the "auto-create user account" behavior. It wouldn't be difficult to add such an option, but it would be helpful to discuss the use case and concerns; I don't think anyone else has asked for this.

Adam