SAML Group Sync does not assign roles until first login. #2408

New Issue

OVERLORD · 2026-02-05T03:59:08+03:00

OVERLORD commented

2026-02-05 03:59:08 +03:00

Originally created by @EternalDeiwos on GitHub (Oct 1, 2021).

Describe the bug
When a user logs in for the first time this triggers auth_register which does not assign roles that match the chosen groups attribute, however the user is considered "logged in" immediately after they register.

Steps To Reproduce
Steps to reproduce the behavior:

Log into bookstack with a new, privileged user.
Attempt to browse pages that are restricted; this should fail as the user has no roles assigned.
Log out and log back in again.
Attempt to browse pages that are restricted; this should now succeed as roles are refreshed at login.

Expected behavior
Roles should be assigned at registration, or the user should be forced to explicitly login after they are registered.

Your Configuration (please complete the following information):

Exact BookStack Version (Found in settings): 21.05.4
PHP Version: 7.4.22
Hosting Method (Nginx/Apache/Docker): Docker/K8s (linuxserver/bookstack:version-v21.05.4)

Additional context
Using Keycloak for SAML IdP

Originally created by @EternalDeiwos on GitHub (Oct 1, 2021). **Describe the bug** When a user logs in for the first time this triggers `auth_register` which does not assign roles that match the chosen groups attribute, however the user is considered "logged in" immediately after they register. **Steps To Reproduce** Steps to reproduce the behavior: 1. Log into bookstack with a new, privileged user. 2. Attempt to browse pages that are restricted; this should fail as the user has no roles assigned. 3. Log out and log back in again. 4. Attempt to browse pages that are restricted; this should now succeed as roles are refreshed at login. **Expected behavior** Roles should be assigned at registration, or the user should be forced to explicitly login after they are registered. **Your Configuration (please complete the following information):** - Exact BookStack Version (Found in settings): 21.05.4 - PHP Version: 7.4.22 - Hosting Method (Nginx/Apache/Docker): Docker/K8s (linuxserver/bookstack:version-v21.05.4) **Additional context** Using Keycloak for SAML IdP

OVERLORD closed this issue

2026-02-05 03:59:10 +03:00

OVERLORD commented

2026-02-05 03:59:15 +03:00

@ssddanbrown commented on GitHub (Oct 4, 2021):

Hi @EternalDeiwos,

Generally, the login and register flow for SAML are pretty aligned and run through the same process.

In your instance are email confirmation or domain restriction registration settings active? If so, email confirmation send issues could be something stopping the process before it gets to group syncing.

Might also be worth updating to the latest version of BookStack since there have been changes in authentication. Don't think they're anything that should affect this flow but could be a chance and it's better to debug on an up-to-date version.

@ssddanbrown commented on GitHub (Oct 4, 2021): Hi @EternalDeiwos, Generally, the login and register flow for SAML are pretty aligned and run [through the same process](https://github.com/BookStackApp/BookStack/blob/v21.08.3/app/Auth/Access/Saml2Service.php#L385). In your instance are email confirmation or domain restriction registration settings active? If so, email confirmation send issues could be something stopping the process before it gets to group syncing. Might also be worth updating to the latest version of BookStack since there have been changes in authentication. Don't think they're anything that should affect this flow but could be a chance and it's better to debug on an up-to-date version.

OVERLORD commented

2026-02-05 03:59:18 +03:00

@EternalDeiwos commented on GitHub (Oct 4, 2021):

Hey @ssddanbrown,

Neither of those settings are active. I'll update and see if that fixes it but as you say it looks like that portion of code hasn't been touched in a while.

@EternalDeiwos commented on GitHub (Oct 4, 2021): Hey @ssddanbrown, Neither of those settings are active. I'll update and see if that fixes it but as you say it looks like that portion of code hasn't been touched in a while.

OVERLORD commented

2026-02-05 03:59:22 +03:00

@ssddanbrown commented on GitHub (Nov 25, 2021):

Just come back to this to test and cannot reproduce. SAML-provided roles are assigned upon first login in my testing using a fresh user. Will therefore close this off but feel free to still raise or re-open a fresh issue if you're certain there's an issue on the BookStack side, on the latest release, that's possible for us to address.

@ssddanbrown commented on GitHub (Nov 25, 2021): Just come back to this to test and cannot reproduce. SAML-provided roles are assigned upon first login in my testing using a fresh user. Will therefore close this off but feel free to still raise or re-open a fresh issue if you're certain there's an issue on the BookStack side, on the latest release, that's possible for us to address.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#2408