We create most of our users via feeds from our SIS system, and authenticate them via an external SSO linked to Active Director.  However, we do sometimes need to create batches of guest users who will not be in AD and who need to set their own passwords.

Initially we tried just creating them with another SIS integration feed and no pre-assigned password and directed them to the Canvas local login page, assuming they could just use the "Forgot Password" to set their passwords, but that does not seem to work.  They either get a message that they must use the SSO to log in, or they get an email saying that they should have been given their password by the system administrators and Instructure doesn't have access to the password.

If I set a local password through the GUI, the user can log in, but there's no option for them to change their password.

What are our options for creating users in bulk who need to set/change their own local passwords?  And what are our options for fixing these existing guest users so they can set/change their local passwords?