dump_user_details for SAML does not include groups in the attrs_after_parsing #4349

New Issue

OVERLORD · 2026-02-05T08:37:32+03:00

OVERLORD commented

2026-02-05 08:37:32 +03:00

Originally created by @akkornel on GitHub (Dec 2, 2023).

Describe the Bug

When debugging SAML login with SAML2_DUMP_USER_DETAILS (dump_user_details), in the attrs_after_parsing section, no group information is listed. This happens even if group sync (SAML2_USER_TO_GROUPS) is enabled.

Steps to Reproduce

Configure Bookstack for SAML2: As part of the setup, make sure SAML2_GROUP_ATTRIBUTE is defined and SAML2_USER_TO_GROUPS is set to true, so that group sync is enabled.
Log in via SAML2, through an IdP that provides groups.
Check out the JSON that is returned at the end of the login process.

Expected Behaviour

In the attrs_from_idp part of the JSON, I see my group membership in the appropriate SAML attribute coming from the IdP.

I expect to see the parsed group membership in the attrs_after_parsing part of the JSON, but I do not.

Screenshots or Additional Context

It looks like the problem is within Saml2Service:processLoginCallback. In the JSON dump I see that attrs_after_parsing is coming from a call to getUserDetails, but getUserDetails is not providing a parsed list of groups.

Looking later in Saml2Service:processLoginCallback, I see the groups are being parsed later, after the JSON dump, by a call to getUserGroups.

I'm a new user of Bookstack, so even though I can see the cause of the problem, I don't know the best way of fixing it. Hence the report!

Browser Details

n/a

Exact BookStack Version

23.10.4

Originally created by @akkornel on GitHub (Dec 2, 2023). ### Describe the Bug When debugging SAML login with `SAML2_DUMP_USER_DETAILS` (`dump_user_details`), in the `attrs_after_parsing` section, no group information is listed. This happens even if group sync (`SAML2_USER_TO_GROUPS`) is enabled. ### Steps to Reproduce 1. Configure Bookstack for SAML2: As part of the setup, make sure `SAML2_GROUP_ATTRIBUTE` is defined and `SAML2_USER_TO_GROUPS` is set to `true`, so that group sync is enabled. 2. Log in via SAML2, through an IdP that provides groups. 3. Check out the JSON that is returned at the end of the login process. ### Expected Behaviour In the `attrs_from_idp` part of the JSON, I see my group membership in the appropriate SAML attribute coming from the IdP. I expect to see the parsed group membership in the `attrs_after_parsing` part of the JSON, but I do not. ### Screenshots or Additional Context It looks like the problem is within [`Saml2Service:processLoginCallback`](https://github.com/BookStackApp/BookStack/blob/295cd0160525125bbd7756d7ad07392ae7201cb8/app/Access/Saml2Service.php#L355). In [the JSON dump](https://github.com/BookStackApp/BookStack/blob/295cd0160525125bbd7756d7ad07392ae7201cb8/app/Access/Saml2Service.php#L360-L366) I see that `attrs_after_parsing` is coming from a call to [getUserDetails](https://github.com/BookStackApp/BookStack/blob/295cd0160525125bbd7756d7ad07392ae7201cb8/app/Access/Saml2Service.php#L283), but `getUserDetails` is not providing a parsed list of groups. Looking later in [`Saml2Service:processLoginCallback`](https://github.com/BookStackApp/BookStack/blob/295cd0160525125bbd7756d7ad07392ae7201cb8/app/Access/Saml2Service.php#L355), I see the groups are being parsed [later](https://github.com/BookStackApp/BookStack/blob/295cd0160525125bbd7756d7ad07392ae7201cb8/app/Access/Saml2Service.php#L387), after the JSON dump, by a call to [`getUserGroups`](https://github.com/BookStackApp/BookStack/blob/295cd0160525125bbd7756d7ad07392ae7201cb8/app/Access/Saml2Service.php#L302). I'm a new user of Bookstack, so even though I can see the cause of the problem, I don't know the best way of fixing it. Hence the report! ### Browser Details n/a ### Exact BookStack Version 23.10.4

OVERLORD added the 🐛 Bug 🚪 Authentication 🏭 Back-End labels 2026-02-05 08:37:32 +03:00

OVERLORD closed this issue

2026-02-05 08:37:33 +03:00

OVERLORD commented

2026-02-05 08:37:36 +03:00

@ssddanbrown commented on GitHub (Dec 2, 2023):

Thanks for reporting @akkornel,
I can see how someone may expect to see the groups within the parsed data when active, so I'll look to parse the groups out earlier if enabled, to allow them to be part of the dumped data.
Have assigned to address for the next feature release.

@ssddanbrown commented on GitHub (Dec 2, 2023): Thanks for reporting @akkornel, I can see how someone may expect to see the groups within the parsed data when active, so I'll look to parse the groups out earlier if enabled, to allow them to be part of the dumped data. Have assigned to address for the next feature release.

OVERLORD commented

2026-02-05 08:37:45 +03:00

@ssddanbrown commented on GitHub (Dec 3, 2023):

This has now been addressed within 11853361b0, which will be part of the next feature release.
Thanks again @akkornel for raising.

@ssddanbrown commented on GitHub (Dec 3, 2023): This has now been addressed within 11853361b00175da740195925eafa5901aa6a607, which will be part of the next feature release. Thanks again @akkornel for raising.

OVERLORD commented

2026-02-05 08:37:49 +03:00

@akkornel commented on GitHub (Dec 3, 2023):

That's awesome, thanks very much!

@akkornel commented on GitHub (Dec 3, 2023): That's awesome, thanks very much!

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#4349