mirror of
https://github.com/BookStackApp/BookStack.git
synced 2026-02-10 19:06:16 +03:00
[Bug Report]: Custom (Admin) user role being lost when using SAML #2623
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @rwgs on GitHub (Feb 1, 2022).
Describe the Bug
I have SAML setup and working, however after giving admin role to a particular user, after a period of time (I haven't determined what), it appears the role reverts back to the default viewer only.
What could be causing this? Right now there are 2 users (1 non-SAML admin which is used in this situation) and 1 SAML user (which should have admin, but doesn't).
Steps to Reproduce
This has happened on several occasions now, and each time, I have to disable SAML, login as the non-SAML admin, assign the admin role back to the SAML user, and then turn SAML back on again.
Expected Behaviour
Roles shouldn't change on their own.
I assume this shouldn't be happening, or do you know why it might be?
Screenshots or Additional Context
No response
Exact BookStack Version
21.12.3
PHP Version
7.4
Hosting Environment
IIS 10
@ssddanbrown commented on GitHub (Feb 1, 2022):
Hi @rwgs, Do you have the following options active?:
@rwgs commented on GitHub (Feb 1, 2022):
Yes both are active.
@ssddanbrown commented on GitHub (Feb 1, 2022):
@rwgs Those options are really the only things that would automatically affect SAML user group assignments.
Every time the user logs in their groups will be synced due to
SAML2_USER_TO_GROUPSbeing active.The
SAML2_REMOVE_FROM_GROUPSwill remove them from any BookStack roles that aren't matched up during the role to group sync.I'm guessing this user is not part of a SAML group that matches with the BookStack admin role so their admin role is being removed after login.
@ssddanbrown commented on GitHub (Feb 8, 2022):
Since there's been no follow-up I'm going to close this. If the issue remains and is something you still require to be fixed feel free to still comment here for this to be re-opened.
@jacac commented on GitHub (Nov 12, 2022):
If we could reopen this issue as a feature request not as a bug.
It would great if the sync role feature could be used together with locally assigned roles. We have about 8 roles which covers about 400 users managed through OIDC, but we also have 40 roles which are managed in Bookstack directly. Enabling the sync role requires us to replicate those 40 roles and all new roles in OIDC. Setting sync to false means that I need to monitor all 400 users if any role changed.
If we could make the OIDC only manage roles it assigned itself.
@rwgs commented on GitHub (Dec 23, 2022):
It seems like this issue is a copy of #2116 and I think the issue is the user I'm logging in with doesn't appear to be getting attached to the role I've created - I've set the external auth ID to both the actual group name as well as object ID from Azure, but nothing seems to work. What am I missing?
@ssddanbrown commented on GitHub (Dec 23, 2022):
@rwgs You can use the
SAML2_DUMP_USER_DETAILS=trueoption, as mentioned in the debugging part of our docs. to dump out the SAML data to see exactly how the groups are being reported by Azure. The values that Microsoft uses for auth are commonly not sane/standard or as expected, best to see what it's actually providing.@rwgs commented on GitHub (Dec 23, 2022):
Hi, where would I see this once turning it on?
@rwgs commented on GitHub (Dec 23, 2022):
Never mind - I just found this and it worked, so in case anyone else has this issue - that's what you need!
https://www.reddit.com/r/BookStack/comments/ut648u/saml_groups_with_azuread/