[keycloak-user] User federation via AD/LDAP - how to handle deleted users?

Hello, currently, Keycloak (up to 4.8.2) does not handle the case where a user is deleted in the federated user-store when the built-in LDAP / AD federation provider is used. The relevant code is located within the LDAPStorageProviderFactory: https://github.com/keycloak/keycloak/blob/c4a46a5591471893db8428a5707c2d9... There is a TODO which reads: // TODO: Remove all existing Keycloak users, which have federation links, but are not in LDAP. Perhaps don't check users, which were just added or updated during this sync? I wonder what would be the right thing to do in this case.. If the federated user-store dictates the truth, then IMHO the right thing to do would be to also delete the user that is associated with the user-storage provider federation link in Keycloak, if the linked AD / LDAP user was deleted. How do you handle this situation in your systems? Cheers, Thomas