Cecile, The user must be local in the Gluu Sever. The reason for this is that when the Gluu Server responds to a request for an OpenID Connect id_token, or SAML attributes, the user claims are queried via LDAP. Making dynamic queries for user claims to backend systems is risky, and performance can be terrible. For this reason, we chose to make sure the user claims are always pre-cached. The interface for authentication is defined here: http://www.gluu.org/docs/admin-guide/interception-scripts/authentication/ Interception scripts are now moved to one place under oxTrust configuration. There are a few sample interception scripts in Github: https://github.com/GluuFederation/oxAuth/tree/master/Server/integrations We need a better documentation that goes over how to write custom authentication scripts. We normally recommend working with a Gluu integration partner, who has some experience writing these things. With regard to the question of "does a person need to be there?", the answer is no. There is a good example of dynamic enrollment in the Gluu Server in the SAML script: https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/saml/SamlExternalAuthenticator.py#L202 Good luck, and let us know when you run into roadblocks.