...
Checkbox "Do not show login page: Automatically redirect to OpenID Connect server": Redirect directly to the SSO authentication provider.
How SSO authenticated user is matched in translate5
1. The first match-check is done by us (issuing authority) and sub (openid identity/subject of the user) claims. If for those values, there is an existing user in transalte5, this translate5 user will be used.
2. If in the above case there is no matching user found in transalte5, try to find translate5 user to login as:
* email field requested from userinfo_endpoint (if configured)
* if the email is not found from the user info endpoint, try to get it from 'upon' claim
* if the email is empty again, try to find if it is defined as preferred_username claim
* if this does not return valid email, translate5 will throw an exception
3. In case of the email matched above, there is already existing user in transalte5 but with different issues and sub values, we will create new user with "OID-" as login prefix but with same email address