SAML: User loses group permissions on login

[detritus]

Describe the bug
This bug seems to be limited to a single user has occurred on two separate installations of MeshCentral. We previously had this issue on our test system, and now is occurring on our new production system. When a specific user logs in via SSO/SAML the user account appears to lose all assigned devices, as if the user account has been recreated. We do not have this issue with any other users but no evidence that would help us narrow down the issue any further.

To Reproduce
Steps to reproduce the behavior:

1. Assign user to a group
2. User logs in
3. User loses all group permissions

Expected behavior
User should be able to login and device details should be preserved

Server Software (please complete the following information):

• OS: RockyLinux 9.4
• Virtualization: N/A
• Network: LAN
• Version: 1.1.24
• Node: 16.20

Client Device (please complete the following information):

• Device: PC
• OS: Windows 10
• Network: LAN
• Browser: Unknown
• MeshCentralRouter Version: N/A

Remote Device (please complete the following information):
N/A

Additional context

utc	time	type	action	user	device	message
2024-06-03T08:56:52.568Z	03/06/2024, 09:56:52	relay	relaylog	USER	DEVICE	Ended desktop session tz4sgfg70vc" from x.x.x.x to x.x.x.x - 7 second(s)"
2024-06-03T08:56:45.426Z	03/06/2024, 09:56:45	node	agentlog	USER	DEVICE	Started remote desktop without notification (x.x.x.x)
2024-06-03T08:56:45.379Z	03/06/2024, 09:56:45	relay	relaylog	USER	DEVICE	Started desktop session tz4sgfg70vc" from x.x.x.x to x.x.x.x"	# User accesses device
2024-06-03T08:56:26.106Z	03/06/2024, 09:56:26	user	accountchange	ADMIN		Changed user device rights for USER
2024-06-03T08:56:26.106Z	03/06/2024, 09:56:26	node	changenode	ADMIN	DEVICE	Changed user device rights for DEVICE
2024-06-03T08:56:13.912Z	03/06/2024, 09:56:13	mesh	meshchange	USER		Added user USER to device group GROUP	# User re-assigned to group
2024-06-03T08:56:13.911Z	03/06/2024, 09:56:13	user	accountchange	ADMIN		Device group membership changed: USER
2024-06-03T07:19:36.863Z	03/06/2024, 08:19:36	user	login	USER		Account login
2024-06-03T07:19:36.861Z	03/06/2024, 08:19:36	user	accountchange	USER		Account changed	# Account changed? User can no longer access device
2024-05-22T10:56:15.551Z	22/05/2024, 11:56:15	relay	relaylog	USER	DEVICE	Ended desktop session i73dwc7kl7" from x.x.x.x to x.x.x.x - 1964 second(s)"
2024-05-22T10:23:30.775Z	22/05/2024, 11:23:30	node	agentlog	USER	DEVICE	Started remote desktop without notification (x.x.x.x)
2024-05-22T10:23:30.731Z	22/05/2024, 11:23:30	relay	relaylog	USER	DEVICE	Started desktop session i73dwc7kl7" from x.x.x.x to x.x.x.x"	# User accesses device
2024-05-22T10:23:24.758Z	22/05/2024, 11:23:24	user	login	USER		Account login
2024-05-22T08:56:12.318Z	22/05/2024, 09:56:12	mesh	meshchange	USER		Added user USER to device group GROUP	# User assigned to group
2024-05-22T08:56:12.317Z	22/05/2024, 09:56:12	user	accountchange	ADMIN		Device group membership changed: USER
2024-05-22T08:48:36.519Z	22/05/2024, 09:48:36	user	login	USER		Account login
2024-05-22T08:48:36.517Z	22/05/2024, 09:48:36	user	accountcreate	USER		Account created - username is USER

Your config.json file

{
  "settings": {
    "cert": "mymesh.co.uk"
  },
  "domains": {
    "": {
      "authStrategies": {
        "saml": {
          "callbackUrl": "https://mymesh.co.uk/auth-saml-callback",
          "entityid": "mymesh.co.uk",
          "idpurl": "https://mysaml.co.uk/adfs/ls",
          "cert": "mycert.pem"
        }
      },
      "newAccounts": true,
      "showPasswordLogin": false,
      "title": "ORG",
      "title2": "ORG",
      "welcomePicture": "welcome.png",
      "footer": "Contact <a href=\"mailto:xxx\">xxx</a> for technical support."
    }
  }
}

[si458]

can you run it with the authlog debug at all for me and replicate ur issue in various ways?
node node_modules/meshcentral --debug authlog
the logs from the console will show login attempts, group permissions from saml, userid, etc

[detritus]

Can this be set in the config anywhere to generate a log file. As the issue occurs intermittently it won't be easy to monitor directly via the console.

[si458]

in theory

1. if you set authLog: "/mypath/mylog.log" under settings in your config.json,
   it should generate an authlog which u can check for auth issues
2. if you set log: "authlog,web" under settings in your config.json
   it should create a log.txt file with all the authlog and web events