When using external authentication (OIDC) users are only created the first time they log in. This means that in order for admin users to be flagged as admins they must first log in, then a Linux admin must run the appropriate commands on the machine itself.

OIDC can pass along a lot more data than just the username. It can also pass along group membership. For Keycloak we have our LDAP server as our identity backend, pull group membership from LDAP into Keycloak & then pass along group membership as OIDC claims. This is common practice with OIDC.

Ideally Greenlight should support making users Greenlight admins when certain OIDC claims contain certain values. This doesn't have to be restricted to OIDC claims, mind you; often enough an OIDC provider might pass along an apaplication-specific claim representing access or admin status.

Here's a screenshot of Keycloak where I've added the default group mapper to a client:

Please note that groups are multi-value things, meaning the groups claim will contain the list of all groups. Greenlight would have to split the claim & do the group comparison afterwards.