Here's a hack you can use...
1. find a SCIM user attribute that is not used (or [add your own attribute](https://gluu.org/docs/ce/3.1.6/user-management/scim2/#creating-your-own-attributes-extensions)), and when you add a user via SCIM, generate a guid and write it to that attribute. Just as an example, let's say you use `transientID`.
2. Write a new custom person authentication script, let's say with Name (i.e. `acr_value`) "firstLogin"
3. After you add the user via SCIM, redirect the user's browser to the OpenID authorization endpoint with parameter for example `acr_values=firstLogin&transientID=15948658-0352-48ea-9828-ce50c5480717`
4. In the script, do an LDAP search to find that user, delete the value in LDAP (i.e. `15948658-0352-48ea-9828-ce50c5480717` in our example) and return True. Note: you should be able to get the extra request parameter in the script. There are a bunch of example of authn scripts [here](https://github.com/GluuFederation/oxAuth/tree/master/Server/integrations), and see the docs for writing a custom login script.
If this works for you, maybe you should submit the script to github or write a blog!. That would be good karma!
I'm closing the ticket, but feel free to post more info here.