In most cases, users are created in local databases on the SP side at the moment when the user first logs in through the IDP. And since the user always has to authenticate through the IDP to access the SP, it is safe (from a security point of view) to support users who have been deactivated in the IDP as active on the SP side (since they will not be able to log into the SP anyway).
One approach to providing a clean SP database is to automatically remove or deactivate users who are not logged in for a specific time. Then the user will be recreated or reactivated as soon as he joins the IDP again and tries to access the SP again.
Another approach is to create a custom synchronization process between IDP and SP (for example, dump CSV from IDP and periodically import into SP).
The name identifier management profile with the request "Complete" can be used for this purpose, with a synchronous binding to it only a SOAP call of the web service from IDP to SP. But most SP implementations do not support this profile, and most (if not all) IDPs will require a certain amount of configuration to make the call at the right time.
Vladimír Schäfer
source share