Despite the name "user provisioning", the SAML module initiates every login from the SP side, exchanging messages using the same RequestID and RelayState. The custom logic for user provisioning microflow is called every single login not just on first-time user creation. Mendix uses it to Create the user if they don't exist OR sync/update the user if they already exist (role sync, attribute updates, etc.).So it's really a user sync on every login microflow, not a one-time provisioning hook.
Then why we have two separate? it is very simple
Custom user provisioning:-Every login handles create/update of the User object and Attribute mapping, role assignment from SAML claims
After sign in logic:-Every login runs after session is established and mainly used for Navigation, logging, business logic that needs a live session.
I hope it is clear.