I wonder if that is the case. Why?

1. Authentication to Lifetime is via oAuth2.0 (the new IT Users authentication method). 

2. Authentication to AI Mentor Studio is done via the OutSystems Community User.

There is no correlation between our oAuth 2.0 user that we defined in our iDP and the OutSystem Community User. So revoking access in Lifetime does nothing for the accessing AI Mentor Studio.

Or is there? It is a long time ago that I setup the IT User authentication part. Not sure if people needed to create a community account with the same UPN as the one in our iDP.

There should be a mapping between your community account and your Lifetime user (IT user). During the initial registration in AI Mentor Studio you have to associate your IT user account.

Not sure how it works with the new OIDC authentication in Lifetime. I believe it still requires an active Lifetime user. During login in Lifetime using your external IdP the platform extracts the user info the identity token and matches it against the existing Lifetime user.

So I believe the linking pin for both is the Lifetime (IT) user:

External IdP user ------> Lifetime user <------- Community user (AI Mentor Studio)

I can also imagine a lot and this is also something that I has thought about but I need to be sure. I have created a support ticket for clarification. I'll update here when I get the answer.

Sure, I also asked OutSystems to join the discussion.