For each single sign-on (SSO) user, a local PingCentral user is automatically created the first time they sign on with information obtained from the subject (sub) claim provided by the OpenID provider.
The user’s first name, last name, and role are also recorded. The user's name is derived from the given_name and family_name claims defined by the profile scope.
If first-time access to PingCentral is through API access using a bearer token, auto-provisioning occurs if the user name and role are available. For performance reasons, subsequent bearer token access doesn't update the local user information, such as first name and last name.
At each SSO, the role, first name, and last name might be updated based on token claims, which overwrites any administrative updates made within PingCentral.
Although PingCentral administrators can modify or delete auto-provisioned users, doing so results in the SSO user being auto-provisioned again. Because the provisioning process generates a new PingCentral user ID, any application associations with the previous user ID will be lost.