Technical Detail Aspects

Following aspects might be important to know in order to better understand how the integration works.

User Mapping

For each SSO user, also a Pimcore user is created. As username the prefered_username field of the OpenID Connect standard is used.

After every SSO login, Pimcore checks if the corresponding user already exists. If not, it creates a new user in the oidc folder, sets a random default password and assings roles delivered by the provider (see next chapter).

It is possible to modify permissions and workspaces from the user directly in Pimcore. Users are not deleted automatically.

Role Mapping

Every SSO user is assigned to roles if they are delivered by the OpenID Connect provider and if the corresponding role exists in Pimcore (matched by its name).

The users roles are updated after every login of the user.

Configuration Caching

Configuration (via the discovery endpoint) and cerfitication information is cached for every OpenID Connect provider for 24h.

To clear this cache, clear the Pimcore cache with the tag oidc (e.g. via bin/console pimcore:cache:clear --tags=oidc).