SSO users can change/reset password in Pimcore backend

[djdgtls]

As the SSO users are also "normal" Pimcore users, they can change the password in their profile or use the password reset functionality.
So if a user was created with SSO and knows their Pimcore login password, they can circumvent SSO when they are offboarded and are still able to login.
Users created by SSO should not be able to login with other means into the backend.

[BlackbitDevs]

For newly created users a temporary password gets set, so you have to get access to the Pimcore database, decrypt it (which is practically impossible) and then you could log in with the Pimcore standard login.

For already existing users, the password does not get changed on a successful SSO login because those users have been created manually in the Pimcore backend. In this case, you could step through existing users and set a new password. The reason why the password does not get changed for existing users is that normally admin users configure the plugin and if it does not work as expected, they would not be able to log in again.

So what do you think of changing the password of existing users - but only for those who do not have permission to change SSO configuration?

Side note:
If you want to enforce SSO usage, please configure the Default Provider in the configuration page. This way any user who accesses the Pimcore backend login, will get automatically forwarded to the configured default authentication provider.