Something maybe missing from the scim endpoint implementation

[garpinc]

After your fix I realized that the retrievals via your Scim endpoints were blazing fast in comparison to my other implementation which talks via the keycloak rest api. As such I did a little research to find out why.

I think I'm running into:
keycloak/keycloak#10005

and related: keycloak/keycloak#19342

Hence this begs the question. Is this something you need to address too for the endpoints? Because if user is actually removed from the ldap federation then I guess sometimes you'd want to know that and not return user if they no longer exist. Of course then you'd run into the same performance issues they are experiencing in those tickets which is also no desirable but I thought I'd let you know so you can decide best course of action.

[Captain-P-Goldfish]

The SCIM for Keycloak plugin is actually not looking in the LDAP database for users. It expects the users to be synchronized into the keycloak server. The federation-provider configurations will normally create a copy within the database for performance reasons and the SCIM for Keycloak plugin can actually only search for those that are already synchronized.
The configuration option for the user-federation-provider in the plugin tells the plugin only if group-relationsships should be retrieved from LDAP or directly from the database since the group-relationsships are not synchronized.

[garpinc]

I understand that. I'm just saying that some customers of yours might want the users verified as per the normal keycloak. Since ur already optionally getting their groups I'm sure u can do that. But up to you.. in this case I opt for performance rather than accuracy.