The SAML module gives you the ability to pick a default user role to give all users when their account is created with SAML. To do something more intelligent, like use attributes in the SAML Assertion to grant specific user roles, you will need to hit the checkbox 'use custom logic for user provisioning' The following documentation (taken from the module) explains what this will do:
Checking the box will execute microflow 'CustomUserProvisioning'. In this microflow you can do additional validation before login or intelligently copy and alter assertion claims before storing them in the user.
This should let you grant user roles to a few users in the AD.
What do you mean by 'Manage Users' in the system? If what you want to accomplish is only allow a few selected users into the system, you do not want to allow the module to create users. This is a radio button on the 'User Provisioning' tab of the IdP configuration in the admin pages of the SAML module. If you do not allow the system to create users, you will need to log in to the system as an Admin and create accounts for all the users you want in the system. You will need to create accounts where the user name matches the identifying assertion provided by the SAML module. You can manage users by adding, deleting, or changing user roles from the standard account administration pages contained within the Administration module.
hope this helps!
I really like your approach. Actually I am new in the Mendix community and I will like to become and expert. I am going through the academy process right now. But I think the community can assist me and help to growth in the endeover.