defguard icon indicating copy to clipboard operation
defguard copied to clipboard

Published 20 hours ago verified publisher icon DefGuard

Directory synchronization in OpenID is impacting users created manually

Open maxime-morel opened this issue 2 months ago • 3 comments

Describe the bug When the "Directory synchronization" is enabled and User Behavior set as "Disable", then the Directory Synchronization will also disabled users NOT created from the external SSO.

To Reproduce Steps to reproduce the behavior:

  1. Enable OpenID
  2. Get users registered from the external SSO (OpenID) and also manually without OpenID.
  3. Enable Directory synchronization with "Disable" user behavior
  4. Notice that users created manually will be disabled

Only users registering from the external SSO should be impacted by the synchronization.

Version information

  • Defguard Core version: v1.5.1

maxime-morel avatar Sep 26 '25 09:09 maxime-morel

Hi @maxime-morel, this is not a bug but our intentional implementation. All current customers when enabling directory sync expect it to behave like this. Sine external SSO is the main user directory defguard MUST reflect - that if a user there is not available there needs to be disabled.

And it seems reasonable.

You can change that Defguard is the main source - then those users created internally will be reflected and created in that directory.

We see no other ways it could work.

Do you?

teon avatar Sep 26 '25 11:09 teon

Hello @teon , I see! Now I understand. So the system cannot support users not part of the OpenID domain when Directory Synchronization is enabled.

That will not be required for our specific case if you implement https://github.com/DefGuard/defguard/issues/1603 . In which case our current "external" users (users created manually) will be part of a second OpenID account. I just suppose that you may have companies that would consider adding external users to their system which are not part of their OpenID accounts.

To give you a specific use case: A company using Defguard as VPN solution for their employees (enrolled with OpenID) as well as external users that requires accessing company resources.

I have few suggestions on implementation if you decide to move this issue as a feature request in the future, for example:

Solution 1:

  • Checking during the enrollment if the user is part of one of the OpenID account, and flagging it accordingly
  • Considering all other users as external
  • Ignoring external users during the sync

Solution 2:

  • Associating domain names to the OpenID settings (OpenID 1 : test1.com, test2.com, OpenID 2: test3.com)
  • During enrollment, checking of the user domain is part of one of these lists

Solution 3:

  • Adding an option to the configuration of users to ignore a specific user from the directory synchronization

maxime-morel avatar Sep 26 '25 11:09 maxime-morel

@maxime-morel I would extend the Solution 1 and add a Setting: Ignore users enrolled via Defguard internal SSO when Directory Synchronization is enabled - this way you can choose to enable this setting and other don't have to.

teon avatar Oct 01 '25 12:10 teon