OIDC Group Mapping

Preamble

The EE server supports the OIDC protocol that allows you to configure an external OIDC IDP for authentication. In addition the OIDC server may provide groups. This guide here will explain how to map a OIDC group to a Psono group. We assume that you already have configured OIDC correctly with the necessary attribute configuration, so groups are transferred proper. If not please check out the appropriate configuration guide.

TIP

This feature is only available in the Enterprise Edition.

Admin Webclient

1. Login to the Admin webclient

   

2. Create Managed Group

   Go to Groups and click the + button to create a managed group

   

3. Edit Managed Group

   Go to Groups and click the pencil button next to the created group

   

4. Create Mapping

   Search for the OIDC group and click the checkmark symbol in the "Mapped" column.

   TIP

   OIDC groups are created on the fly whenever a user logs in, all his groups are imported. If the group that you are searching for is not here, please tell a user with this group to login.

   

5. (optional) Grant Share Admin

   If you want to allow users of this OIDC group to add new shares to this group, you have to grant them Share Admin.

   

   TIP

   It is considered best practise to share only one folder per group and add new entries or subfoldes to that one shared folder. That way all shares are instant and noone has to accept new shared secrets.

6. Finished

   Whenever a user logs in with OIDC, the server will map Psono groups according to the user's OIDC groups and grant the user the necessary permissions. If a user loses access to a group the server will remove the user from the Psono group upon next login.