How to synchronize user accounts between service provider and Identity Provider?

In a SSO environment, though the user accounts are maintained at IdP, some Service Providers do maintain a database having active user accounts. Now if a user is deactivated at IdP, what is the best way to pass that information to the respective SPs who still have that user as an active user in their database?

After going through SAML-profiles documentation, I found Name Identifier Management Profile where an IdP may inform an SP regarding the termination of a particular identifier/user.

Is this the right profile which the SP and IDP should be implementing (is it easy to implement this?) or is there any other simple way to achieve this? Any suggestions are highly appreciated.

1 Like