I'm working on a Java application using Spring Security with Single Sign-On (SSO) authentication configured through ADFS Saml2, which retrieves user claims from Active Directory during login.
As I understand it, claims are typically loaded only during the initial login process, posing a challenge for scenarios where user permissions might change or if a user is removed from Active Directory in a Software as a Service (SaaS) environment.
My primary concerns are:
Is there a way to reload user claims programmatically in Spring Security with ADFS? This is crucial for keeping user permissions up-to-date without requiring users to re-authenticate continuously.
In the event that a user is deleted or has their permissions changed, is there a mechanism within ADFS to immediately invalidate their session or kick them out of the application?
I am not a SAML2/ADFS expert, so any guidance or best practices on handling dynamic user permissions in an SSO setup would be greatly appreciated.
Thank you!