Technical Detail Aspects
Following aspects might be important to know in order to better understand how the integration works.
User Mapping
For each SSO user, also a Pimcore user is created. As username the prefered_username
field of the OpenID Connect
standard is used.
After every SSO login, Pimcore checks if the corresponding user already exists. If not, it creates a new user in the
oidc
folder, sets a random default password and assings roles delivered by the provider (see next chapter).
It is possible to modify permissions and workspaces from the user directly in Pimcore. Users are not deleted automatically.
Role Mapping
Every SSO user is assigned to roles if they are delivered by the OpenID Connect provider and if the corresponding role exists in Pimcore (matched by its name).
The users roles are updated after every login of the user.
Configuration Caching
Configuration (via the discovery endpoint) and cerfitication information is cached for every OpenID Connect provider for 24h.
To clear this cache, clear the Pimcore cache with the tag oidc
(e.g. via bin/console pimcore:cache:clear --tags=oidc
).