Auto Group overrides for admin users not working when SSO enabled


Nextcloud version (eg, 20.0.5): 25.0.2
Operating system and version (eg, Ubuntu 20.04): 22.04.1
Apache or nginx version (eg, Apache 2.4.25): 2.4.52
PHP version (eg, 7.4): 8.1.2

The issue you are facing:
After configuring SSO with SimpleSAMLphp, the SSO logins work as expected, and the attribute mappings all work. Addtionally, we’re forcing the users into a group “SSOUSERS” via the mapped attribute, and it works great. However, we have one issue. If I add an already created user (myself for example) to a different group (say the admin group), whenever that user logs in, it removes them from the admin group and overwrites all group membership with “SSOUSERS”. I’ve tried every combination of settings in the “Additional Settings” menu for group overrides, but nothing seems to prevent it. Also, the admin email receives the update that the user was ‘successfully removed from the group admin’. Anyone have a work around for this?

Is this the first time you’ve seen this error? (Y/N):

Steps to replicate it:

  1. Setup SSO correctly w/ option to pass group membership
  2. Add created user to “admin” group and set “override” for autogroup
  3. Once user logs in, they are no longer in the admin group

The output of your Nextcloud log in Admin > Logging:

No related errors in logs

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

$CONFIG = array (
  'instanceid' => 'xxxxinstanceidxxxx',
  'passwordsalt' => 'xxxxsaltxxxx',
  'secret' => 'xxxxsecretxxxx',
  'trusted_domains' =>
  array (
    0 => '',
  'log_type' => 'file',
  'logfile' => 'nextcloud.log',
  'loglevel' => 0,
  'logdateformat' => 'F d, Y H:i:s',
  'default_phone_region' => 'US',
  'datadirectory' => '/data/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '',
  'overwrite.cli.url' => '',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'xxxxxxxx',
  'dbpassword' => 'xxxxxxxx',
  'installed' => true,
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'redis' =>
  array (
    'host' => 'localhost',
    'port' => 6379,
  'app_install_overwrite' =>
  array (
    0 => 'integration_moodle',
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'tls',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'ncadmin',
  'mail_domain' => '',
  'mail_smtphost' => '',
  'mail_smtpport' => '25',
  'maintenance' => false,

The output of your Apache/nginx/system log in /var/log/____:

PHP Warning:  Module "imagick" is already loaded in Unknown on line 0
[Tue Jan 17 00:00:00.793803 2023] [mpm_prefork:notice] [pid 1415] AH00163: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 configured -- resuming normal operations
[Tue Jan 17 00:00:00.793820 2023] [core:notice] [pid 1415] AH00094: Command line: '/usr/sbin/apache2'

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.