I am closing this as NOTABUG. The code works as designed and the desired functionality is obtained by: If you no longer want an IPA user to be able to log into CMFE the best thing to do would be to log into the IPA server and reconfigure the user so they no longer belong to the groups configured on CFME. Please reopen with more information if you feel this is still an issue.
Reopening: After researching more I have discovered this is an issue on 5.6.z
$ git cherry-pick -x -m 1 426e642 [darga bab3149] Merge pull request #10634 from jvlcek/bz_1342082_ext_auth_groups Author: Gregg Tanzillo <gtanzill> Date: Wed Aug 24 11:43:15 2016 -0400 2 files changed, 25 insertions(+), 1 deletion(-) $ git log commit bab3149e524e31922ef355acb80219572bc00b77 Author: Gregg Tanzillo <gtanzill> Date: Wed Aug 24 11:43:15 2016 -0400 Merge pull request #10634 from jvlcek/bz_1342082_ext_auth_groups Update the user when there are no matching groups (cherry picked from commit 426e6420e94cb050311ea99992db43dd490992d8)
PR: https://github.com/ManageIQ/manageiq/pull/10634
Verified in 5.6.2.1.20160922130607_92d5b5e. Issue is not reproducible. When users group is deleted, user login to CFME fails with expected Error message "Login not allowed, User's User is missing. Please contact the administrator"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-1996.html