dsmrt
commented
2 years ago This has been released.
You can now add mergeExistingGroups to the config/saml-sp.php to turn off merging of the user groups. So set mergeExistingGroups to false if you want the groups to be FULLY MANAGED by sso/SAML. For more information, goto: https://saml-sp.flipboxfactory.com/configure/groups.html
Also, I added an event for manipulating the groups before assignment. Details can be found here: https://saml-sp.flipboxfactory.com/configure/events.html#assign-user-to-a-user-group-based-on-a-property
Early in development we added a feature by request to merge the existing groups with new groups found in the SAML Response. The issue at the time was an admin would add a group to the user manually and then the user would login and lose the group.
Looking back on this, it was probably a bad way to implement group management. The default behavior should probably add the groups based on what is in the SAML Response and wipe any existing groups. So allow SSO/SAML to solely manage the groups.
Changes proposed are: 1) Include a passive config that allows implementers to skip merging the existing groups OR add a config to explicitly merge the groups 2) Add an event that'd pass the groups to be added, and the existing user (and response) for more customized solutions as needed.
Note that you can update the user on login with an event to get around this: https://saml-sp.flipboxfactory.com/configure/events.html#assign-user-to-a-user-group-based-on-a-property