For each SSO user, a local PingCentral user is automatically created the first time they log in. This information is obtained from the subject (sub) claim provided by the OpenID provider.
The user’s first name, last name, and role are also recorded.The user's name is derived from the given_name and family_name claims defined by the profile scope.
If first-time access to PingCentral is by way of API access using a bearer token, auto-provisioning also occurs if the user name and role are available. For performance reasons, subsequent bearer token access does not update the local user information, such as first name and last name.
At each SSO login, the role, first name, and last name might be updated based on token claims, which will overwrite any administrative updates made within PingCentral.
Although it is possible for PingCentral administrators to modify or delete auto-provisioned users, doing so will result in the SSO user being auto-provisioned again. Since the provisioning process generates a new PingCentral user ID, any application associations with the previous user ID will be lost.