We will be providing our customers the ability to provision users with us and we will then in turn import those users to our Okta tenant. When the user is removed from their idp we deactivate the account. This brings up a question for me, how do I support customers wanting to no longer use SSO & SCIM without deactivating every account? Right now if they simply remove all of their users from our SCIM server, all of their accounts will be deactivated, and they would have to work with our support to reactivate them. Is it possible to support this scenario in an automated fashion?
My first thought was remove the app user on the SP side and then hit our SCIM server to delete the user, all triggered by the SSO integration being deactivated. Curious if there is a more automated or Okta supported approach.