If not using SAML for Nextcloud groups, groups are removed from users when they log in

[DoctorMcKay]

Steps to reproduce

1. Create a user group in Nextcloud
2. Log into Nextcloud via SAML
3. Add the SAML user to the Nextcloud group
4. Install or update to SSO & SAML Authentication 6.1.0
5. Do not configure groups to be managed by SAML
6. Log out and back in to the SAML user account
7. Observe that the group has been removed

Expected behaviour

Groups should not be removed if Nextcloud is not configured to use SAML/SSO for user groups.

Actual behaviour

Groups (except admin) are removed.

Based on this check, I was able to work around the issue by creating a database-backed dummy user and adding them to each group.

Server configuration

Operating system: Ubuntu 22.04.3 LTS

Web server: nginx 1.18.0

Database: MySQL 8.0.35-0ubuntu0.22.04.1

PHP version: 8.1.20

Nextcloud version: 28.0.1

Where did you install Nextcloud from: Manually installed via web installer

List of activated apps:

Enabled:
  - activity: 2.20.0
  - circles: 28.0.0-dev
  - cloud_federation_api: 1.11.0
  - comments: 1.18.0
  - contactsinteraction: 1.9.0
  - dav: 1.29.1
  - federatedfilesharing: 1.18.0
  - files: 2.0.0
  - files_pdfviewer: 2.9.0
  - files_reminders: 1.1.0
  - files_sharing: 1.20.0
  - files_trashbin: 1.18.0
  - files_versions: 1.21.0
  - forms: 4.0.0
  - impersonate: 1.15.0
  - logreader: 2.13.0
  - lookup_server_connector: 1.16.0
  - nextcloud_announcements: 1.17.0
  - notifications: 2.16.0
  - notify_push: 0.6.8
  - oauth2: 1.16.3
  - password_policy: 1.18.0
  - photos: 2.4.0
  - privacy: 1.12.0
  - provisioning_api: 1.18.0
  - recommendations: 2.0.0
  - related_resources: 1.3.0
  - serverinfo: 1.18.0
  - settings: 1.10.1
  - sharebymail: 1.18.0
  - systemtags: 1.18.0
  - text: 3.9.1
  - theming: 2.3.0
  - twofactor_backupcodes: 1.17.0
  - updatenotification: 1.18.0
  - user_saml: 6.1.0
  - viewer: 2.2.0
  - workflowengine: 2.10.0
Disabled:
  - admin_audit: 1.18.0
  - bruteforcesettings: 2.8.0 (installed 2.2.0)
  - dashboard: 7.8.0 (installed 7.0.0)
  - encryption: 2.16.0
  - federation: 1.18.0 (installed 1.10.1)
  - files_external: 1.20.0
  - files_rightclick: 0.15.1 (installed 1.6.0)
  - firstrunwizard: 2.17.0 (installed 2.9.0)
  - support: 1.11.0 (installed 1.3.0)
  - survey_client: 1.16.0 (installed 1.8.0)
  - suspicious_login: 6.0.0
  - twofactor_totp: 10.0.0-beta.2
  - user_ldap: 1.19.0
  - user_status: 1.8.1 (installed 1.0.1)
  - weather_status: 1.8.0 (installed 1.0.0)

Nextcloud configuration:

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "28.0.1.1",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "filelocking.enabled": true,
        "memcache.local": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "timeout": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "mail_smtpmode": "sendmail",
        "mail_sendmailmode": "smtp",
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "default_phone_region": "US",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "skeletondirectory": "",
        "simpleSignUpLink.shown": false,
        "versions_retention_obligation": "auto, 365",
        "trashbin_retention_obligation": "auto, 365",
        "auth.webauthn.enabled": false,
        "app_install_overwrite": [
            "impersonate"
        ],
        "check_for_working_wellknown_setup": false
    }
}

Client configuration

Browser: Microsoft Edge 120.0.2210.121

Operating system: Windows 11 23H2 (Build 22631.3007)

Logs

Nextcloud log (data/owncloud.log)

Nothing relevant

Browser log

Not relevant

[blizzz]

Thank you for the report.

As a temporary workaround, if you add a dummy local users to the groups as well, does the group membership remain? Just reread and saw that you did that successfully ✔️

[blizzz]

P.S.: And you only have local groups and no group mapping from SAML configured?

[DoctorMcKay]

P.S.: And you only have local groups and no group mapping from SAML configured?

Correct, I'm not using group mapping from SAML at all, only assigning groups directly in Nextcloud. I've left the group mapping attribute and prefix blank.

[epidemiaf1]

I can confirm this is happening after updating SSO and SAML Authentication to v.6.1.0. We authenticate users using Microsoft Azure AD and as soon as the user logs into the nextcloud website, it is automatically removed from the groups he was part of. We don't use SAML for group membership authentication either.

{"reqId":"Su1qViCmpbcrwwFOI3zU","level":1,"time":"2024-01-26T11:08:02-05:00","re moteAddr":"REMOVED FOR PRIVACY","user":"--","app":"admin_audit","method":"POST","url":" /apps/user_saml/saml/acs","message":"User "REMOVED FOR PRIVACY" removed from group "REMOVED FOR PRIVACY"","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) Apple WebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0", "version":"28.0.1.1","data":{"app":"admin_audit"}}

[blizzz]

Proposed fix in #806