Proves the inbound OIDC flow end-to-end: a stub IdP (mock PingFed) asserts
email + roles[], the SP verifies the token against the JWKS,
and the resolver maps it onto a real DealerZone identity using the
role claim as the disambiguator. All reads are against live VADZ.
Start the flow — you'll land on the stub IdP's identity picker.
Sign in with PingFed (stub) →| Scenario | Pick | Expected resolution |
|---|---|---|
| Master dealer | rwilliamson@cyclezone.com | match users.email → level 2 |
| Dealer | m.scalora@robertssupply.com as dealer | match users.email → level 4 (id 9204) |
| Inactive dealer | beltzservicedept@gmail.com | match users.email → level 6 (restricted) |
| Salesperson | mladouce@powereqp.com | match salesman.email → user_type 2 (rep w/ linked reps) |
| Distributor | alltest@gmail.com | match distributor_users.email → scope ALL [99] |
| Admin | strategicamericaadmin@gmail.com | identity-mapped overlay (replaces id 10135) |
| ★ Dual-role collision | m.scalora@robertssupply.com as dealer + salesperson |
ONE email → TWO identities: dealer users.id 9204 and rep salesman.user_id 9684. Disambiguated by role. |
| SP initiate | /user/auth/sso/initiate/ |
| SP callback | /user/auth/sso/callback/ |
| IdP authorize | /idp/authorize/ |
| IdP token | /idp/token/ |
| IdP JWKS | /idp/jwks/ |
| IdP discovery | /idp/openid_configuration/ |