Hey there, This is related to KEYCLOAK-8690<https://issues.jboss.org/browse/KEYCLOAK-8690>;. We are a few having some issues with regards to SSO, notably about the non-update of user roles when something is updated on the IdP side. Basically, when we set SSO up, at first login we go through the first broker login flow, which creates the user in the db and gives this user all the roles he should have depending on the mapping we created, in our case “Claim to role” mappers. In our case, each role in keycloak has a corresponding Azure AD group, where we manage all of our users and where our IAM strategy sits. Our problem begins when we update the groups on AAD. When we remove the user from a particular group, the role in keycloak is removed at the next login. Which is expected. But when we had this user in a new group, we expect the corresponding role to be added at the next login. Which is not the case. For me it is a strange behavior to allow remove but disallow add. Our workaround today – which is not sustainable on the long run – is to delete the user prior updating him in AAD with new group, so that each time he will go through the first broker login flow and gets the right roles. The Jira mentioned above is about that, and you reply that it is not a bug and therefore, it doesn’t need to fixed. Which we disagree on. Or maybe there is something in keycloak configuration that I’ve missed ? Could you expand on the rationale behind the logic ? Regards, Mehdi Bechiri Ops Lead +33.6.15.03.63.73 [Logo] Rue Adrien-Lachenal 20 » 1207 Genève » Switzerland komgo.io<http://www.komgo.io/> » LinkedIn<https://www.linkedin.com/company/komgo/> » Twitter<https://twitter.com/iokomgo>