recently we switched all our externally reachable webapps behind a portal, that ensures 2F authentication.
Logging in to the portal (3rd party) requires you to either approve a push, or enter your OTP.
In the portal itself, you click on your application (e.g. OWA) and you are SSOed via SAML to the F5-listener.
The F5 then does KCD to SSO you to the Exchange.
Everything works fine so far, but:
Our problem in this whole constellation are inactive users.
The third party portal doesn't update the "LastLogonTimestamp" or any similar attributes in AD when authenticating via push
The F5 doesn't update the attribute when authenticating the user via SAML
The F5 doesn't update the attribute when getting a KCD token
So users from external partners may use their accounts regularly, but in AD they seem to be unused for months.
Our routines then disable/delete those accounts on a regular basis.
The idea would be now, to let the F5 execute an irule during the KCD, which updates the LastLogonTimestamp for this user - or any other AD attribute for this specific user, that can be checked by our routines in order to know, that this user was active in the last 3 months.