SSO users aren't automatically added to email domain-based groups

(Barry van Oudtshoorn) #1

When a user is created via SSO, it appears that their membership in groups based on their email domain isn’t firing.

That is, I have a group set up like so:

…but users coming in via SSO don’t seem to be added to this group automatically:



It looks as though there was a discussion around this last year in relation to the “moderator” SSO flag and membership:

…but this is about everyday, run-of-the-mill users who I want to be in a group so they get flair and specific category access.

Automatic custom group assignment not working automatically

I have the same issue. It seems that unregistered users who used SSO to login cannot be added automatically to groups!

UPDATE: now I can identity four use cases:

1/ New users without account validation: users are not automatically added to groups
2/ New users with account validation: users will be added automatically to groups

3/ Existing users (provisioned by the SSO engine): users are not automatically added to groups
3/ Existing users (fully registered): users are added automatically to groups

When enabling SSO (with no account validation) it seems that the “auto-assign user to group” feature is turned off.

Is this the expected behavior? If not is there a workaround.



@barryvan did you find a workaround for this issue?

(Matthew Brown) #5

Hi @sebastien,

When you are generating your SSO payload, you can set the add_groups field based on your user’s email, where add_groups is a comma delimited string of groups. I haven’t seen any documentation on this but the code is pretty clear:

That was our workaround to this issue and it has been working so far.


It works but I had to add some custom code to our SSO engine :(!

Thx for the help!


(Alex Armstrong) #8

I just came across some weird behavior that’s probably related to this bug as well. I’ll look into including groups in the payload, as suggested.

(Régis Hanol) #9

This has been fixed a while ago

(Régis Hanol) #10