How to use GitHub
- Please use the 👍 reaction to show that you are affected by the same issue.
- Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
- Subscribe to receive notifications on status change and new comments.
Issue
SAML-authenticated users are silently and automatically removed from locally-managed groups upon login after upgrading user_saml, without any admin knowledge or consent. There is no warning, no configuration option to skip it, and no relevant documentation on the portal.
Subsequently, when IdP users login after an update, they find themselves removed from all local groups.
The RememberLocalGroupsForPotentialMigrations repair step should:
- Be opt-in rather than auto-executing on upgrade
- OR require explicit admin confirmation before populating the candidate pool
- OR only populate groups that meet specific criteria (not all Database groups)
Repro
- Upgrade from user_saml v7.1.4 to v8.0.0 with group attribute mapping configured.
- As admin, add a SAML user to a local Database group
- SAML user logs in via IdP
Expected: Local Database group membership persists across SAML login
Actual: SAML user is removed from local Database group on login (and loose access to all group-managed resources).
Version: user_saml v8.0.1, Nextcloud server v32.0.9
Env: Production (Podman container)
Root Cause
The RememberLocalGroupsForPotentialMigrations repair step (registered in appinfo/info.xml as <post-migration>) automatically executes during upgrade. It populates the localGroupsCheckForMigration config key with ALL Database backend groups (except admin) and sets a 60-day expiration window.
This causes GroupManager::mayModifyGroup() to return true for Database groups in the candidate pool that contain only SAML users, which in turn causes GroupManager::getGroupsToRemove() to remove these local groups from SAML users on login.
Verification
# Directly upon upgrade, check if migration candidate pool is populated:
php occ config:app:get user_saml localGroupsCheckForMigration
# Output confirms auto-enrollment of our local DB groups:
{"dropAfter":1783195325,"groups":["groupA","groupB",...]}Immediate fix
Immediately after an update:
php occ config:app:delete user_saml localGroupsCheckForMigration
Removing group attributes mapping entirely also fixes the issue but this is not acceptable in production if IdP groups are also provisioned.
How to use GitHub
Issue
SAML-authenticated users are silently and automatically removed from locally-managed groups upon login after upgrading user_saml, without any admin knowledge or consent. There is no warning, no configuration option to skip it, and no relevant documentation on the portal.
Subsequently, when IdP users login after an update, they find themselves removed from all local groups.
The
RememberLocalGroupsForPotentialMigrationsrepair step should:Repro
Expected: Local Database group membership persists across SAML login
Actual: SAML user is removed from local Database group on login (and loose access to all group-managed resources).
Version: user_saml v8.0.1, Nextcloud server v32.0.9
Env: Production (Podman container)
Root Cause
The
RememberLocalGroupsForPotentialMigrationsrepair step (registered inappinfo/info.xmlas<post-migration>) automatically executes during upgrade. It populates thelocalGroupsCheckForMigrationconfig key with ALL Database backend groups (except admin) and sets a 60-day expiration window.This causes
GroupManager::mayModifyGroup()to returntruefor Database groups in the candidate pool that contain only SAML users, which in turn causesGroupManager::getGroupsToRemove()to remove these local groups from SAML users on login.Verification
Immediate fix
Immediately after an update:
Removing group attributes mapping entirely also fixes the issue but this is not acceptable in production if IdP groups are also provisioned.