Hello,

  I would like to know how De-provisioning of user in Federated IDP case being handled in Keycloak.

How frequently Keycloak validates the federated user status before reissuing the new access token to the already authenticated user.

Is there plans to support SCIM (System for Cross-domain Identity Management) in Keycloak roadmap?

Following is our use case

1. There are few processes that will be authenticated with Federated IDP using SAML just after user(A) registration is complete (one time login manually).

2. Subsequently SP will issue the token pair to these processes to use as long as Refresh token lifetime is valid.

3. Within this refresh token lifetime (if it too long) and in the case user(A) is de-provisioned/removed, how would SP be aware to block this token renewal.

Please share your thoughts.

Best

Kamal