Webusers can connect to the Admin Console when configured to use Open ID Connect SSO without being an Admin Console user. Only Admin Console defined users should be able to be configured for access to the Admin Console. Currently, anyone who can authenticate via OpenID Connect can log into the Admin console. As long as a user can authenticate via the SSO provider they can log into the Admin Console.
This is working as designed. Specifying that this SSO provider should allow users to access both the storefront and the admin console. Out of the box, if you enable sso for the admin console, any user that can log in through that sso can get in to the admin console and will automatically get the ISC_User role, that is how it works. If the same sso provider is enabled for both the storefront and the admin console, any users that can sign in through that sso provider will be able to sign in to both the storefront and the admin console.
The same SSO provider for both the storefront and the admin console is being used rather than separate SSO providers for each.
Resolutions will be posted below. Please use the Follow button to receive status updates.
It would be enhancement request for the above to be handled differently than it is today.
The only workaround suggested was to have the storefront as an openid connect sso provider and the admin console as windows sso provider. But we currently do not support enabling openid for both storefront and admin console.