When a third-party service wants Salesforce to provision users through a service endpoint before they access the app, the relevant feature is user provisioning on the connected app. Salesforce supports outbound provisioning patterns for connected apps so that a user can be created in the downstream application according to the app’s provisioning configuration. This is better than redirecting users into a separate registration experience because the requirement is to provision them as part of the Salesforce-controlled access path. Canvas and generic SAML alone do not provide the provisioning endpoint behavior described. The architectural value of connected-app provisioning is that it links app access and lifecycle management, allowing administrators to govern who gets created in the external service and when. This is why option C is the best answer in Salesforce terms.