In typical SSO environment, user accounts are maintained by IdP. Many service providers also maintain a local database of active users. They map nameid coming as part of SAML assertion from IdP to a user in local database to allow access.
We have integrated such service providers to keep users in sync (typical csv file integration).
Some SPs (for e.g dropbox) create account on the fly in local database when a users logs in for the first time. Only way a user log in is via IdP, it is considered safe. However, each of these SP provide a mechanism using which we periodically delete inactive accounts.
We have successfully configured F5 APM/LTM as SAML Service Provide (SP).
And, we are using create nameid option. The question is where does these nameid gets created in F5? And, how one manage these (i.e delete accounts not used for a while)?
Would highly appreciate if someone could shed some light on this.
I've looked through F5's documentation, and I don't think that there's a way to view/edit nameid. My best guess would be that APm doesn't log inactive/active accounts, or else APM prunes anything it creates by itself, as F5 has no documentation on deleting unused service accounts. Maybe I just haven't looked hard enough but that's my take.
Best of luck,
Yes, that seems to be the case. i.e. APM does its own nameid management and deletes it after some time.
I posed the same question to our SE and above was the answer I got. Good, one fewer thing to worry about.
Thanks a ton for looking into it.