User roles getting overwritten #1729

New Issue

OVERLORD · 2026-02-05T01:43:45+03:00

OVERLORD commented

2026-02-05 01:43:45 +03:00

Originally created by @sharma-akshay on GitHub (May 13, 2020).

I installed Bookstack and I implemented SSO using saml2. I have configured the Bookstack to let user register himself and by default I am giving Viewer role to users. I want few users to have admin roles. So I modified the roles of those usres in settings and gave them admin role. However when they sign again, the role is overwritten to "Viewer" role again. Is there any option/ setting that the registration should happen only once.

Also I am unable to log in to Admin account if I enable saml2. I have to change it to standard to get into admin access. Can't we keep both active.

Originally created by @sharma-akshay on GitHub (May 13, 2020). I installed Bookstack and I implemented SSO using saml2. I have configured the Bookstack to let user register himself and by default I am giving Viewer role to users. I want few users to have admin roles. So I modified the roles of those usres in settings and gave them admin role. However when they sign again, the role is overwritten to "Viewer" role again. Is there any option/ setting that the registration should happen only once. Also I am unable to log in to Admin account if I enable saml2. I have to change it to standard to get into admin access. Can't we keep both active.

OVERLORD closed this issue

2026-02-05 01:43:47 +03:00

OVERLORD commented

2026-02-05 01:43:54 +03:00

@ssddanbrown commented on GitHub (May 14, 2020):

Hi @sharma-akshay,
Can you confirm the exact version of BookStack you are using (Shown in the top-right of the settings) and also confirm if you are using any of the below options in your .env file:

SAML2_USER_TO_GROUPS=
SAML2_GROUP_ATTRIBUTE=
SAML2_REMOVE_FROM_GROUPS=

@ssddanbrown commented on GitHub (May 14, 2020): Hi @sharma-akshay, Can you confirm the exact version of BookStack you are using (Shown in the top-right of the settings) and also confirm if you are using any of the below options in your `.env` file: ``` SAML2_USER_TO_GROUPS= SAML2_GROUP_ATTRIBUTE= SAML2_REMOVE_FROM_GROUPS= ```

OVERLORD commented

2026-02-05 01:43:57 +03:00

@sharma-akshay commented on GitHub (May 15, 2020):

Hi,

Following are the details:

BookStack v0.29.2

SAML2_USER_TO_GROUPS=true
SAML2_GROUP_ATTRIBUTE=groups
SAML2_REMOVE_FROM_GROUPS=true

@sharma-akshay commented on GitHub (May 15, 2020): Hi, Following are the details: BookStack v0.29.2 SAML2_USER_TO_GROUPS=true SAML2_GROUP_ATTRIBUTE=groups SAML2_REMOVE_FROM_GROUPS=true

OVERLORD commented

2026-02-05 01:44:00 +03:00

@ssddanbrown commented on GitHub (May 17, 2020):

Hi @sharma-akshay,

User group syncing, which you have enabled via SAML2_USER_TO_GROUPS=true will run on each login. Since you have SAML2_REMOVE_FROM_GROUPS=true enabled, they will be removed from non-matching groups on each login. There is no option to only have this run once. You could alternatively not use SAML2_REMOVE_FROM_GROUPS=true if you want the admins to keep those roles but you'll need to manually apply any role-removals in the future.

Also I am unable to log in to Admin account if I enable saml2. I have to change it to standard to get into admin access. Can't we keep both active.

This is because the admin account is not synced with a SAML user. You can either sign-in with SAML to create a user, then, using the admin account, give that user admin privileges; Or you can set the "External Authentication ID" input value for an existing user/admin to match them up for a future SAML login.

You should be able to login via standard login as an admin, change back to SAML2, and you'll remain logged in as the admin for that session, if you need to be logged in as an admin while SAML2 is active.

@ssddanbrown commented on GitHub (May 17, 2020): Hi @sharma-akshay, User group syncing, which you have enabled via `SAML2_USER_TO_GROUPS=true` will run on each login. Since you have `SAML2_REMOVE_FROM_GROUPS=true` enabled, they will be removed from non-matching groups on each login. There is no option to only have this run once. You could alternatively not use `SAML2_REMOVE_FROM_GROUPS=true` if you want the admins to keep those roles but you'll need to manually apply any role-removals in the future. > Also I am unable to log in to Admin account if I enable saml2. I have to change it to standard to get into admin access. Can't we keep both active. This is because the admin account is not synced with a SAML user. You can either sign-in with SAML to create a user, then, using the admin account, give that user admin privileges; Or you can set the "External Authentication ID" input value for an existing user/admin to match them up for a future SAML login. You should be able to login via standard login as an admin, change back to SAML2, and you'll remain logged in as the admin for that session, if you need to be logged in as an admin while SAML2 is active.

OVERLORD commented

2026-02-05 01:44:02 +03:00

@ssddanbrown commented on GitHub (Sep 28, 2020):

Since there has been no further follow up on this I'll close it off.

@ssddanbrown commented on GitHub (Sep 28, 2020): Since there has been no further follow up on this I'll close it off.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#1729