Google SAML groups stopped syncing users #4949

New Issue

Closed

opened 2026-02-05 09:28:48 +03:00 by OVERLORD · 6 comments

OVERLORD commented 2026-02-05 09:28:48 +03:00

Owner

Copy Link

Originally created by @Jeffrey-FB on GitHub (Sep 11, 2024).

Attempted Debugging

• I have read the debugging page

Searched GitHub Issues

• I have searched GitHub for the issue.

Describe the Scenario

I have been using Google for SAML auth.
Everything has been working well.
Now today new groups we are creating will not sync users.
Is there a limit to how many user roles we can have?

I've looked at the logs and there doesn't seem to be anything in there.
Is there any where else i can get info on why this isn't working anymore?

Exact BookStack Version

v24.05.2

Log Content

No response

Hosting Environment

apache2, Ubuntu 24.04, SAML 2 to Google workspace.

Originally created by @Jeffrey-FB on GitHub (Sep 11, 2024). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario I have been using Google for SAML auth. Everything has been working well. Now today new groups we are creating will not sync users. Is there a limit to how many user roles we can have? I've looked at the logs and there doesn't seem to be anything in there. Is there any where else i can get info on why this isn't working anymore? ### Exact BookStack Version v24.05.2 ### Log Content _No response_ ### Hosting Environment apache2, Ubuntu 24.04, SAML 2 to Google workspace.

OVERLORD added the 🐕 Support label 2026-02-05 09:28:48 +03:00

OVERLORD closed this issue 2026-02-05 09:28:49 +03:00

OVERLORD commented 2026-02-05 09:28:51 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Sep 11, 2024):

Is there a limit to how many user roles we can have?

No hard limits built in, but I don't advise inflating the number of roles beyond what's needed since they can have a performance impact.

Is there any where else i can get info on why this isn't working anymore?

You can use the SAML2_DUMP_USER_DETAILS=true option to dump the fetched SAML details upon login. (This will stop login, so only enable temporarily during login).
Then double check if you're still getting group details provided in this data.

@ssddanbrown commented on GitHub (Sep 11, 2024): > Is there a limit to how many user roles we can have? No hard limits built in, but I don't advise inflating the number of roles beyond what's needed since they can have a performance impact. > Is there any where else i can get info on why this isn't working anymore? You can use the `SAML2_DUMP_USER_DETAILS=true` option to dump the fetched SAML details upon login. (This will stop login, so only enable temporarily during login). Then double check if you're still getting group details provided in this data.

OVERLORD commented 2026-02-05 09:28:52 +03:00

Author

Owner

Copy Link

@bramFB commented on GitHub (Sep 12, 2024):

I've done extensive testing.
We have 10 groups/roles that work, and it seems everything created AFTER these first 10, do not sync.

Perhaps we have hit a limit?

We could work with just 10 roles, but it's less than ideal TBH.

10 doesn't seem that many does it?

@bramFB commented on GitHub (Sep 12, 2024): I've done extensive testing. We have 10 groups/roles that work, and it seems everything created AFTER these first 10, do not sync. Perhaps we have hit a limit? We could work with just 10 roles, but it's less than ideal TBH. 10 doesn't seem that many does it?

OVERLORD commented 2026-02-05 09:28:54 +03:00

Author

Owner

Copy Link

@Jeffrey-FB commented on GitHub (Sep 12, 2024):

@ssddanbrown We did the SAML2_DUMP_USER_DETAILS=true and it's not adding/showing the newer groups, in the user dump.
i.e group number 11 and up

Could it be an issue if the user is a Viewer in one group but an Editor in another?
As the user is getting multiple Roles assigned

@Jeffrey-FB commented on GitHub (Sep 12, 2024): @ssddanbrown We did the `SAML2_DUMP_USER_DETAILS=true` and it's not adding/showing the newer groups, in the user dump. i.e group number 11 and up Could it be an issue if the user is a Viewer in one group but an Editor in another? As the user is getting multiple Roles assigned

OVERLORD commented 2026-02-05 09:28:54 +03:00

Author

Owner

Copy Link

@bramFB commented on GitHub (Sep 12, 2024):

Additional bit of info, one of the groups that DOESN'T work, is nested in a group that DOES.
In this case, the user gets the permissions of the working group/role.

But for any group that is outside of the first 10 created (could be coincidental) it doesn't work.

Another note (which we presume doesn't relate)
We previously had used LDAP, but switched to Google SAML.

It is possible (hard to confirm) that all the WORKING groups, were previously also LDAP/AD groups. They were then recreated in Google.
The non-working groups, were only ever created in Google.

Any clues there?

@bramFB commented on GitHub (Sep 12, 2024): Additional bit of info, one of the groups that DOESN'T work, is nested in a group that DOES. In this case, the user gets the permissions of the working group/role. But for any group that is outside of the first 10 created (could be coincidental) it doesn't work. Another note (which we presume doesn't relate) We previously had used LDAP, but switched to Google SAML. It is possible (hard to confirm) that all the WORKING groups, were previously also LDAP/AD groups. They were then recreated in Google. The non-working groups, were only ever created in Google. Any clues there?

OVERLORD commented 2026-02-05 09:28:55 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Sep 12, 2024):

We did the SAML2_DUMP_USER_DETAILS=true and it's not adding/showing the newer groups, in the user dump.

@Jeffrey-FB Based up that, then this is an issue with Google not providing the extra groups to BookStack in the first place. BookStack can't consider them if Google is not providing them.

Based upon this page, th limit of groups in SAML responses for Google is 75, but you might need to ensure the groups are configured for the mapping?

@ssddanbrown commented on GitHub (Sep 12, 2024): > We did the SAML2_DUMP_USER_DETAILS=true and it's not adding/showing the newer groups, in the user dump. @Jeffrey-FB Based up that, then this is an issue with Google not providing the extra groups to BookStack in the first place. BookStack can't consider them if Google is not providing them. Based [upon this page](https://support.google.com/a/answer/11143403?hl=en), th limit of groups in SAML responses for Google is 75, but you might need to ensure the groups are configured for the mapping?

OVERLORD commented 2026-02-05 09:28:58 +03:00

Author

Owner

Copy Link

@Jeffrey-FB commented on GitHub (Sep 17, 2024):

That did the trick thanks.

@Jeffrey-FB commented on GitHub (Sep 17, 2024): That did the trick thanks.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

l10n_development

further_theme_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🐕 Support

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#4949