alt Hacker NewsCreating the user in your application before first logon.
Removing the user from your application immediately and not when their session eventually expires.
Doing those things in batch.
Querying that data at will to produce reports.
Updating a users group membership when needed and immediately and not when you decide to do so.
And then you only need an opaque userid from me and not a fat OIDC token that knows everything about my internal structure.
Replies
> Removing the user from your application immediately and not when their session eventually expires.
This is orthogonal to OIDC, unless you're using it to transfer groups in the token (don't).
> Querying that data at will to produce reports.
How the heck is this OIDC/SAML functionality?
> Removing the user from your application immediately and not when their session eventually expires.
OIDC allows the same workflow. The app just needs to be able to validate the session from the `sid` claim.
> And then you only need an opaque userid from me and not a fat OIDC token that knows everything about my internal structure.
OIDC tokens are opaque.
These are all features of SCIM, not of SAML. SAML only communicates user metadata on login. SCIM can be used with both SAML and OIDC.