SSO: Bi-directional provisioning and deprovisioning (remove users when removed from IdP group) #6498
Description
Is your feature request related to a problem?
SSO user provisioning today is effectively one way. Users can be added to Flagsmith via SSO, but when a user is removed from the upstream IdP (or from whatever upstream access mechanism is being used), there is no reliable, automatic way to remove or deactivate that user in Flagsmith. This request is to support upstream driven deprovisioning.
Describe the solution you'd like.
Provide a supported way for Flagsmith to:
• Detect when a user should no longer have access based on upstream state, and
• Revoke that user’s access automatically.
“Revoke access” could mean one or more of:
• Remove the user from relevant groups/roles
• Remove their org/project membership
• Deactivate/disable the user account
• Optionally delete the user (likely not the default)
Describe alternatives you've considered
Current workaround is manual offboarding in Flagsmith. That being said the user simply won't be able to authenticate/login anymore (IdP rejects the login).
Additional context
• The mechanism should not be limited to “login-time sync” only.
• Default behavior should be safe and non-destructive (deactivate or revoke permissions rather than delete).
• Users may have access via multiple upstream assignments, so removal should not be overly aggressive.
• Having an audit trail of deprovision actions is important.