View the original community article here
Last tested: June 2021
No. Looker doesn't automatically keep track of whether the user has been revoked on the SAML/LDAP/OIDC/Google side. There is a request to Force all users to log out or Automatically recognize new SAML groups if mapping gets updated that you can add your vote through our feedback system.
So the user will just stay logged in??
Yes. Any users logged in will stay logged in for the remainder of their session (up to 30 days). Of course, once they log out of Looker or otherwise end their Looker session they won't be able to log back in. They will not be deleted or disabled by the Looker system.
Can I force the user to log out?
You can disable the user via the UI, which logs them out.
A robust workaround would be an API script that:
Watches the IdP for when a user is revoked.
Finds the Looker user corresponding to the IdP user, and their current session ID(s).
Kill sessions for that user.
Disables that user.
This content is subject to limited support.