Hi Team, we're considering implementing Just-in-Time provisioning for our OIDC setup (with Auth0) and was wondering if you have any suggestions on how to clean-up/remove users from GoodData which have been removed from the IdP ?

Hi again! 🙂 What exactly is needed here, please? To remove users from our Managed OIDC or to remove them from your organization completely?

Hi Iva 😄 We are using our own Auth0 - and our application is managing the users there. So with JIT provisioning, once a user which is authentication tries to access an embedded GoodData dashboard, a user will be created in the GoodData. I wanted to know if there is a recommended way how to removes users from GoodData if they get removed from our application (i.e. Auth0).

Hmm, unfortunately, JIT only works for user provisioning, not for their removal or de-provisioning. There’s no service, which would be checking the actual list of users in your Auth0, then comparing it with a list of users in GD and then deleting them also from the organization - if this is what you are after. From the authentication point of view, there should be no issue. Once they are removed from the OIDC, they cannot be authenticated anymore. If you are asking due to user limits(or any other concern), then I am afraid there is no out-of-the box solution. Such users would need to be removed manually via UI or API.

Thanks for confirming Iva, that's kinda where we got with out thinking as well.