Hi Jeroen,
Thank you for your patience on this.
The solution you are looking for can be achieved using the Group Mapping functionality provided in the plugin. You can map groups being sent from IdP against Confluence local groups. These mapped groups will get updated on user authentication (SSO).
Suppose user groups are removed from IdP and the user is trying to authentication, it will not able to find mapped groups in IdP response and in result user will get removed from groups. This way we can manage the same set of user groups in Confluence.
Could you please let me know which OAuth/OpenID Provider are you using? Also, if you are using any external user directory(AD/LDAP) for managing users and groups in Confluence?
If that’s the case then we have an alternative solution too. Syncing user details using User Directory.
Here you need to make sure the external user directory(AD/LDAP) should have read/write or read with local group permission.
You can send more details on miniOrange support at atlassiansupport@miniorange.com or we can set up a quick call to discuss your use-case and solution in detail.
Thanks,
Shradha