ACL/ identity provider integration

Tailscale user:
Are TS’ ACLs integrated with the SSO Identity Providers (like ADFS) at all (Group membership, active status)? Or, is it SSO->authentication-only, ACL->authorization-only?

Does TS detect when an account in the Identity Provider is deactivated / deleted and remove them from the network automatically?

Support:
Identity providers only perform authentication and ACL performs all authorization, as you noted. Synchronizing groups from identity providers is a popular request that we hope to support in the future.

We do not currently delete users when they are deleted from the identity provider, but we do plan to improve this in future. Once an account has been deleted from the identity provider, new nodes can’t be registered with that account. Therefore the current process is to delete the account and then delete the nodes added by that user.