Soft Delete Option in Keycloak User Federation

I’m using Keycloak (25.0.1) with AD integration via user federation. When a user is removed from an AD group, their entry in Keycloak’s user_entity table is deleted, along with all references.

Is there a way to implement a soft delete instead—marking users as inactive rather than deleting them entirely? If not, are there any plans to introduce this feature?

That’s not how the User Federation is supposed to work.
Think of the technical name of the interface: UserStorage. So, it’s basically an option to extend the user-storage of Keycloak to an external system. The external system is leading. If the external systems thinks the user should no more be available to Keycloak, Keycloak will remove the user too.
No, there’s no “but, …”.

hi @sunny

i think if you can write a custom extension for User Storage SPI I then it might be achievable if you modify this method: Server Developer Guide.

That’s not what the OP asked for.

The removeUser() method is being called, if a user should be deleted from the Keycloak API. It then tries to remove the user in the underlying system and responds accordingly true/false.
But the OP asked for the way vice-versa - when the user is being removed in the external system, it should not being deleted in Keycloak. As I already wrote, this is not intended.

Of course, you can always overwrite any code, even the build you own custom Keycloak server by forking the project, and implement the behavior you want. But this is not always the best way, “just because you can”. Yes, you can overwrite the LDAP provider and try to modify the sync logic to not delete users… Well, good luck at this, happy maintaining the code over versions and a lot of hassle included!

1 Like