Group memberships not updated if logged-in via SAML on NC 21, working on NC 20 and below

Hi guys,

since Nextcloud 21 I’ve got a problem with group memberships not getting updated from SAML. I use Keycloak 12 as my Identity Provider and the “SAML & SSO authentication” app (v 4.1.0). My users can login without any problems (i.e. the connection between Keycloak and Nextcloud is working), but after the login the group assignments (taken from attribute “roles”) are not updated.

This problem only occurs on my NC 21 installation. Another test setup running 20.0.7 (only local, thus not yet updated to 20.0.9) and the “SAML & SSO authentication” app (v 3.3.4) works flawlessly. Both Keycloak clients (in my test system and the production system) are configured identically, the SAML apps differ in the IdP certificate used (b/c my keycloak testsystem uses a different key and certificate).

With a log level of 0 (debug) I could see that the “SAML & SSO authentication” app retrieves the right groups:
Group attribute content: [\"role1\",\"role5\"]"
Those are exactly the groups that I configured for this user.

While digging deeper to find the reason for this problem I discovered something else which is perhaps of relevance:
I enabled the LDAP server of which I know that it worked flawlessly with Nextcloud 19 and saw that the same problem (no group synchronization upon login) also occurs there - but the Nextcloud cronjob, which runs every five minutes fixed that.
With Nextcloud 19 the groups got updated immediately after a fresh login, so I didn’t have to wait for the cronjob to run.

Does anybody have an idea what changed with NC 21 and how to fix this?

Nextcloud version: 21.0.1
Operating system and version: Ubuntu 20.04.2
Apache or nginx version: nginx/1.18.0 (Ubuntu)
PHP version: 7.4.3