Google SAML groups stopped syncing users

BookStackApp / BookStack

A platform to create documentation/wiki content built with PHP & Laravel

https://www.bookstackapp.com/

MIT License

15.43k stars 1.94k forks source link

Google SAML groups stopped syncing users #5201

Closed Jeffrey-FB closed 2 months ago

Jeffrey-FB commented 2 months ago

Attempted Debugging

[X] I have read the debugging page

Searched GitHub Issues

[X] I have searched GitHub for the issue.

Describe the Scenario

I have been using Google for SAML auth. Everything has been working well. Now today new groups we are creating will not sync users. Is there a limit to how many user roles we can have?

I've looked at the logs and there doesn't seem to be anything in there. Is there any where else i can get info on why this isn't working anymore?

Exact BookStack Version

v24.05.2

Log Content

No response

Hosting Environment

apache2, Ubuntu 24.04, SAML 2 to Google workspace.

ssddanbrown commented 2 months ago

Is there a limit to how many user roles we can have?

No hard limits built in, but I don't advise inflating the number of roles beyond what's needed since they can have a performance impact.

Is there any where else i can get info on why this isn't working anymore?

You can use the SAML2_DUMP_USER_DETAILS=true option to dump the fetched SAML details upon login. (This will stop login, so only enable temporarily during login). Then double check if you're still getting group details provided in this data.

bramFB commented 2 months ago

I've done extensive testing. We have 10 groups/roles that work, and it seems everything created AFTER these first 10, do not sync.

Perhaps we have hit a limit?

We could work with just 10 roles, but it's less than ideal TBH.

10 doesn't seem that many does it?

Jeffrey-FB commented 2 months ago

@ssddanbrown We did the SAML2_DUMP_USER_DETAILS=true and it's not adding/showing the newer groups, in the user dump. i.e group number 11 and up

Could it be an issue if the user is a Viewer in one group but an Editor in another? As the user is getting multiple Roles assigned

bramFB commented 2 months ago

Additional bit of info, one of the groups that DOESN'T work, is nested in a group that DOES. In this case, the user gets the permissions of the working group/role.

But for any group that is outside of the first 10 created (could be coincidental) it doesn't work.

Another note (which we presume doesn't relate) We previously had used LDAP, but switched to Google SAML.

It is possible (hard to confirm) that all the WORKING groups, were previously also LDAP/AD groups. They were then recreated in Google. The non-working groups, were only ever created in Google.

Any clues there?

ssddanbrown commented 2 months ago

We did the SAML2_DUMP_USER_DETAILS=true and it's not adding/showing the newer groups, in the user dump.

@Jeffrey-FB Based up that, then this is an issue with Google not providing the extra groups to BookStack in the first place. BookStack can't consider them if Google is not providing them.

Based upon this page, th limit of groups in SAML responses for Google is 75, but you might need to ensure the groups are configured for the mapping?

Jeffrey-FB commented 2 months ago

That did the trick thanks.