I have a below scenario,

Lets say i have implemented SSO for Salesforce and IDp lets say is some .Net based Webservice which implements SAML 2.

When user tried to authenticate, He was active in IDp as well as in SP. He was succesfully able to authenticate Salesforce1 app using OAuth (After SAML based login succeeded).

However, after few day he got deactivated from IDp and still active in Service Provider (Salesforce).

As he is still active in Salesforce and OAuth is already setup, he can access his Salesforce1 application.

How should i check or revoke his access once he is not active in Identi provider ?

Please suggest.

Attribution to: Jitendra Zaa

Possible Suggestion/Solution #1

After discussion with @metadaddy and @cmort, only solution I found was to make callout from IdP to Service Provider to remove OAuth token or deactivate user. I have written one blog article also which includes this scenario, hope it will help others. Section "Testing Scenario 4".

Attribution to: Jitendra Zaa
This content is remixed from stackoverflow or stackexchange. Please visit https://salesforce.stackexchange.com/questions/33054