[keycloak-user] Use case of Deprovisioning a user in Federated IDP

Bill Burke bburke at redhat.com
Mon Jul 13 18:37:59 EDT 2015

What do you mean by federated user?  We have the concept of federating 
between IDPs, where Keycloak is the child and an external IDP is teh 
parent.  In this case, we do not check the status of the external user 
at all.  I'm not currently aware of any standard we can use to do this.

On 7/13/2015 5:39 PM, Kamal Jagadevan wrote:
> Hello,
>    I would like to know how De-provisioning of user in Federated IDP
> case being handled in Keycloak.
> How frequently Keycloak validates the federated user status before
> reissuing the new access token to the already authenticated user.
> Is there plans to support SCIM (System for Cross-domain Identity
> Management) in Keycloak roadmap?
> _Following is our use case
> _
> 1. There are few processes that will be authenticated with Federated IDP
> using SAML just after *user**(A)* registration is complete (one time
> login manually).
> 2. Subsequently SP will issue the token pair to these processes to use
> as long as Refresh token lifetime is valid.
> 3. Within this refresh token lifetime (if it too long) and in the case
> *user(A)* is de-provisioned/removed, how would *_SP be aware to block
> this token renewal_*.
> Please share your thoughts.
> Best
> Kamal
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-user mailing list