[lxgr]

I suppose you could do something based on IDP-signed tokens, e.g. "valid for authentication to service x until <timestamp>"?

[megous]

This is basically a ssh certificate then.

[pluto_modadic]

the difference is in /key management/. Key management is the hard part. Especially keyless SSH management. (things like sigstore's rekor/fulcio remove some complexity here). It is not "just a (manually generated) ssh certificate"

[XorNot]

Kerberos tickets have timeouts on them already, it's a matter of configuration how long you wait.

The thing is most enterprises want "user disabled" to be instant.

Which of course leads to SSH keys all over the place anyway.