# OIDC Group Mapping

# Preamble

The EE server supports the OIDC protocol that allows you to configure an external OIDC IDP for authentication. In addition the OIDC server may provide groups. This guide here will explain how to map a OIDC group to a Psono group We assume that you already have configured OIDC correctly with the necessary attribute configuration, so groups are transferred proper. If not please check out the appropriate configuration guide. We further assume that you have a working and running Admin Webclient. If you haven't, please check out the guide to install the admin client.


This feature is only available in the Enterprise Edition.

# Admin Webclient

  1. Login to the Admin webclient

    Login Admin Webclient

  2. Create Managed Group

    Go to Users -> Groups and click the + button to create a managed group

    Create Managed Group

  3. Edit Managed Group

    Go to Users -> Groups and click the pencil button next to the created group

    Create Managed Group

  4. Create Mapping

    Search for the OIDC group and click the checkmark symbol in the "Mapped" column.


    OIDC groups are created on the fly whenever a user logs in, all his groups are imported. If the group that you are searching for is not here, please tell a user with this group to login.

    Create Mapping

  5. (optional) Grant Share Admin

    If you want to allow users of this OIDC group to add new shares to this group, you have to grant them Share Admin.

    Grant Share Admin


    It is considered best practise to share only one folder per group and add new entries or subfoldes to that one shared folder. That way all shares are instant and noone has to accept new shared secrets.

  6. Finished

    Whenever a user logs in with OIDC, the server will map Psono groups according to the user's OIDC groups and grant the user the necessary permissions. If a user loses access to a group the server will remove the user from the Psono group upon next login.