We are in the process of exploring caching on IG and as part of that, we plan to do this on the following filters:
The Websocket notifications take care of invalidating the SingleSignOnFilter and Oauth2ResourceServerFilter as we understand, but without a way to invalidate the UserProfile cache entries, what are the use cases which apply to using UserProfile filter. And is there a mechanism to leverage invalidation of cache on the UserProfile filter.
The best approach at the moment is to balance cache expiry time vs how often entries are updated on the backend. If entry attributes are changed frequently and these attributes are important to applications downstream from IG then a lower cache time might be required. The maximumTimeToCache is the key configuration item to consider here, part of the cache configuration block - Filters :: ForgeRock Identity Gateway
There is also likely a cache operating on the downstream service that provided the attributes (Access Manager) so consider coordinating the cache expiry times.