authenticationoauth-2.0authorizationsaml-2.0federated-identity

Deleting user with federated authentication


I am trying to use federated authentication (OAuth2 / SAML) in a web application. While federating authentication and possibly, authorization, how to deal with data of users who are deleted?

AFAIK there are no delete events propagated to applications from identity providers when a user is deleted.

Example: Deleting the data associated with user, when the account is deleted from external identity provider (Google, Facebook, or some enterprise identity server).


Solution

  • Federated authentication is about being able to authenticate a user based on an external system. It is not a way of tying user accounts in your system with the federated system. This means that there is no simple way of achieving what you need. E.g., you could build some custom integration with the federated identity provider or have a job that somehow verifies periodically whether the accounts from your system still exist externally.

    In general, when using federated identity you shouldn't concern with whether the account still exists in the external system. The user uses that account to log in to your system, but your system maintains its own users.