[keycloak-user] Use case of Deprovisioning a user in Federated IDP

Kamal Jagadevan j.kamal at ymail.com
Tue Jul 14 10:46:25 EDT 2015

Hi Bill,
  Thanks for the quick response. I meant the federated user to be as an user from External IDP.
There are two scenarios in our application which we plan to address using Keycloak

a) An user who interactively logs into the web client 
b) An background process that acts behalf of the user(a) 

In the case(a)every time the user logs into the system, he/she will be authenticated by external IDP. But in the case(b) because it is a background process only once the user logs in with his credential and uses the refresh token (which has very long time to live or never expires), in this scenario after the initial authentication there is no other interaction with external IDP.

There could be situations when the user in the external IDP could be fired/removed, hence Keycloak might have to know if the user is still valid to allow refresh of the tokens to happen. Just wondering if it is handled by any means before reissuing the refresh token? 

In our current implementation, for this purpose SCIM protocol was used to listen any DELETE USER operations at the external IDP end and update the status of the user in SP end. So during token validation, this user status is verified.

Please let me know if there is any similar plan in Keycloak too.



What do you mean by federated user?  We have the concept of federating 
between IDPs, where Keycloak is the child and an external IDP is teh 
parent.  In this case, we do not check the status of the external user 
at all.  I'm not currently aware of any standard we can use to do this.
      From: Kamal Jagadevan <j.kamal at ymail.com>
 To: Keycloak-user <keycloak-user at lists.jboss.org> 
 Sent: Monday, July 13, 2015 5:39 PM
 Subject: Use case of Deprovisioning a user in Federated IDP
Hello,  I would like to know how De-provisioning of user in Federated IDP case being handled in Keycloak.How frequently Keycloak validates the federated user status before reissuing the new access token to the already authenticated user.Is there plans to support SCIM (System for Cross-domain Identity Management) in Keycloak roadmap?
Following is our use case
1. There are few processes that will be authenticated with Federated IDP using SAML just after user(A) registration is complete (one time login manually).2. Subsequently SP will issue the token pair to these processes to use as long as Refresh token lifetime is valid.3. Within this refresh token lifetime (if it too long) and in the case user(A) is de-provisioned/removed, how would SP be aware to block this token renewal.

Please share your thoughts.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150714/47af8494/attachment.html 

More information about the keycloak-user mailing list