...
Checkbox "Do not show login page: Automatically redirect to OpenID Connect server": Redirect directly to the SSO authentication provider.
How SSO authenticated user is matched in translate5
...
Creation of a user through OpenId Connect / Matching with an existing user
If a user authenticates, the following steps are done:
- Translate5 tries to find an existing translate5 user by issuing authority and openid identity/subject of the user
...
- claims. If for those values, there is an existing user in transalte5, this translate5 user will be used and updated with potential new rights and user attributes (like name, e-mail, etc.)
...
- If in the above case there is no matching user found in transalte5,
...
- translate5 tries to find a valid e-mail address in the information, the OpenId Connect IPD provides about the connecting user:
- First it looks in the email field requested of the
...
- userinfo_endpoint (if configured)
...
- If not found
...
- there, translate5 tries to find it in the 'upn' claim
...
- .
- If not found there, translate5 tries to find it in the
...
- preferred_username claim
...
- If it is not found there, translate5 will throw an exception
...
- If a user exists, that has the e-mail address as login name as the one coming from OpenId Connect IDP, but with different OpenId specific issues and sub values, we will create new user with "OID-" as login prefix but with same email address.
- If a user exists, that has the e-mail address as login name as the one coming from OpenId Connect IDP, but with no OpenId specific issues and sub values (so a manually created one), translate5 updates this user with the info coming from the OpenId Connect IDP.