SAML groups not fully compatible with Group-folders app

[jo-krk]

Hi,

I'm not sure if it's a problem of Nextlcloud Server or user_saml app or groupfolders app, but perhaps you could help me to identify that at least. Thanks!

Steps to reproduce

1. Add user Bob to group group-A in your IDP (In my case: Keycloak)
2. Login with user Bob to Nextcloud
3. group-A is now visible for Admins in my-nextcloud.com/index.php/settings/users
4. Configure 'Group folder' for group-A in my-nextcloud.com/index.php/settings/admin/groupfolders , let's call it group-A-folder
5. Create new user Alice add them to group group-A in IDP , but do not login with this user yet.
6. Remove user Bob from group group-A
7. Logout & login again with user Bob
8. Group group-A is no longer visible for Admins in my-nextcloud.com/index.php/settings/users , because last active user doesn't belong to it anymore (?)
9. Check 'Group folders' config (my-nextcloud.com/index.php/settings/admin/groupfolders) group-A-folder is still there, but as group-A is missing - it's assigned to "None" of the groups
10. Login with user Alice and confirm that user can't see group-A-folder

Expected behaviour

Groups should be preserved even if last active member has left the group.

Actual behaviour

Groups are dropped as soon as last active member doesn't belong to the group anymore, that breaks compatibility with groupfolders app, even though 'External storage' (my-nextcloud.com/index.php/settings/admin/externalstorages) is preserving those groups

Server configuration

Operating system: Ubuntu 22.04.2 LTS

Web server: Apache

Database: Mariadb

PHP version: 8.1

Nextcloud version: 28.0.4

List of activated apps:

Enabled:
  - activity: 2.20.0
  - admin_audit: 1.18.0
  - circles: 28.0.0
  - cloud_federation_api: 1.11.0
  - comments: 1.18.0
  - contactsinteraction: 1.9.0
  - dashboard: 7.8.0
  - dav: 1.29.1
  - external: 5.3.1
  - federatedfilesharing: 1.18.0
  - federation: 1.18.0
  - files: 2.0.0
  - files_external: 1.20.0
  - files_pdfviewer: 2.9.0
  - files_reminders: 1.1.0
  - files_sharing: 1.20.0
  - files_trashbin: 1.18.0
  - files_versions: 1.21.0
  - firstrunwizard: 2.17.0
  - forms: 4.1.1
  - groupfolders: 16.0.6
  - impersonate: 1.15.0
  - logreader: 2.13.0
  - lookup_server_connector: 1.16.0
  - nextcloud_announcements: 1.17.0
  - notifications: 2.16.0
  - oauth2: 1.16.3
  - password_policy: 1.18.0
  - photos: 2.4.0
  - polls: 7.0.3
  - privacy: 1.12.0
  - provisioning_api: 1.18.0
  - qownnotesapi: 24.4.0
  - related_resources: 1.3.0
  - serverinfo: 1.18.0
  - settings: 1.10.1
  - sharebymail: 1.18.0
  - support: 1.11.1
  - survey_client: 1.16.0
  - systemtags: 1.18.0
  - text: 3.9.1
  - theming: 2.3.0
  - twofactor_backupcodes: 1.17.0
  - updatenotification: 1.18.0
  - user_saml: 6.1.3
  - user_status: 1.8.1
  - viewer: 2.2.0
  - weather_status: 1.8.0
  - workflowengine: 2.10.0

[blizzz]

Groups are intentionally deleted by the SAML backend when they have no member anymore:

https://github.com/nextcloud/user_saml/blob/master/lib/GroupManager.php#L165-L171

[jo-krk]

Thank you for reply @blizzz , Could you please suggest solution for situation I described in 'Steps to reproduce' , when user is pre-created but not really used yet ? I don't see how authors of groupfolders can address it, if group is really deleted from everywhere. And I'm even more surprised how 'External storage' kept this information about the groups, even after deletion?

Thanks

[blizzz]

Could you please suggest solution for situation I described in 'Steps to reproduce' , when user is pre-created but not really used yet ?

On the operational side, keep a ghost user inside.

Code-wise, I am tending towards a config flag to keep empty groups and check that setting before deleting them. Perhaps it would be sufficient to have this configurable via CLI only.

And I'm even more surprised how 'External storage' kept this information about the groups, even after deletion?

Yes, that could be an bug report in the server repository.