If you are using an external auth-mechanisim, such as sasl you still have to provision the user before they can login.
In my scenario I would like to specify a default configuration, then when an external auth passes without a local configuration, one is created for the user on first login.