nextcloud · blizzz · Dec 2, 2025 · Dec 2, 2025 · Dec 3, 2025 · Dec 3, 2025
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -82,7 +82,7 @@ jobs:
           MYSQL_ROOT_PASSWORD: rootpassword
         options: --health-cmd="mysqladmin ping" --health-interval 5s --health-timeout 2s --health-retries 5
       directory:
-        image: ghcr.io/nextcloud/continuous-integration-user_saml-dirsrv:latest # zizmor: ignore[unpinned-images]
+        image: ghcr.io/nextcloud/continuous-integration-user_saml-dirsrv:2
         ports:
           - 389:3389/tcp
         options:

@@ -20,7 +20,7 @@ The following providers are supported and tested at the moment:
 	* Any other provider that authenticates using the environment variable
 
 While theoretically any other authentication provider implementing either one of those standards is compatible, we like to note that they are not part of any internal test matrix.]]></description>
-	<version>7.1.0</version>
+	<version>7.1.1</version>
 	<licence>agpl</licence>
 	<author>Lukas Reschke</author>
 	<namespace>User_SAML</namespace>

diff --git a/lib/GroupManager.php b/lib/GroupManager.php
@@ -157,7 +157,23 @@ protected function assignUserToGroup(IUser $user, string $gid): void {
 			$providerId = $this->settings->getProviderId();
 			$settings = $this->settings->get($providerId);
 			$groupPrefix = $settings['saml-attribute-mapping-group_mapping_prefix'] ?? SAMLSettings::DEFAULT_GROUP_PREFIX;
-			$group = $this->createGroupInBackend($groupPrefix . $gid, $gid);
+
+			$newNextcloudGroupId = $groupPrefix . $gid;
+			if (strlen($newNextcloudGroupId) > 64) {
+				$newNextcloudGroupId = $groupPrefix . hash('tiger192,4', $gid);
+				if (strlen($newNextcloudGroupId) > 64) {
+					Server::get(LoggerInterface::class)->error(
+						'Cannot create group ID as it is too long. Original name from SAML is {name}',
+						[
+							'app' => 'user_saml',
+							'name' => $gid,
+						]
+					);
+					return;
+				}
+			}
+
+			$group = $this->createGroupInBackend($newNextcloudGroupId, $gid);
 		}
 
 		$group->addUser($user);

diff --git a/lib/Migration/Version6000Date20220912152700.php b/lib/Migration/Version6000Date20220912152700.php
@@ -39,7 +39,7 @@ public function changeSchema(IOutput $output, Closure $schemaClosure, array $opt
 			]);
 			$table->addColumn('saml_gid', Types::STRING, [
 				'notnull' => true,
-				'length' => 64,
+				'length' => 255,
 				'default' => '',
 			]);
 			$table->setPrimaryKey(['gid']);

diff --git a/lib/Migration/Version7001Date20251203110627.php b/lib/Migration/Version7001Date20251203110627.php
@@ -0,0 +1,36 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\User_SAML\Migration;
+
+use Closure;
+use OCP\DB\ISchemaWrapper;
+use OCP\Migration\IOutput;
+use OCP\Migration\SimpleMigrationStep;
+use Override;
+
+class Version7001Date20251203110627 extends SimpleMigrationStep {
+
+	#[Override]
+	public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper {
+		$schema = $schemaClosure();
+
+		if (!$schema->hasTable('user_saml_groups')) {
+			return null;
+		}
+
+		$groupsTable = $schema->getTable('user_saml_groups');
+		$samlGidColumn = $groupsTable->getColumn('saml_gid');
+		if ($samlGidColumn->getLength() < 255) {
+			$samlGidColumn->setLength(255);
+			return $schema;
+		}
+		return null;
+	}
+}
diff --git a/tests/integration/features/Shibboleth.feature b/tests/integration/features/Shibboleth.feature
diff --git a/tests/integration/features/bootstrap/FeatureContext.php b/tests/integration/features/bootstrap/FeatureContext.php
@@ -597,19 +597,32 @@ public function theEnvironmentVariableIsSetTo($key, $value) {
 	 * @Given /^the group "([^"]*)" should exists$/
 	 */
 	public function theGroupShouldExists(string $gid): void {
-		$response = shell_exec(
+		$groupInfo = $this->fetchGroupInfo($gid);
+		if (!isset($groupInfo['groupID']) || $groupInfo['groupID'] !== $gid) {
+			throw new UnexpectedValueException('Group does not exist');
+		}
+	}
+
+	/**
+	 * @Then the group :gid has the display name :expectedDisplayName
+	 */
+	public function theGroupHasTheDisplayName(string $gid, string $expectedDisplayName): void {
+		$groupInfo = $this->fetchGroupInfo($gid);
+		if (!isset($groupInfo['displayName']) || $groupInfo['displayName'] !== $expectedDisplayName) {
+			throw new UnexpectedValueException('The group`s display name does not match');
+		}
+	}
+
+	protected function fetchGroupInfo(string $gid): ?array {
+		$groupInfoOutput = shell_exec(
 			sprintf(
 				'%s %s group:info --output=json "%s"',
 				PHP_BINARY,
 				__DIR__ . '/../../../../../../occ',
 				$gid
 			)
 		);
-
-		$responseArray = json_decode($response, true);
-		if (!isset($responseArray['groupID']) || $responseArray['groupID'] !== $gid) {
-			throw new UnexpectedValueException('Group does not exist');
-		}
+		return json_decode($groupInfoOutput, true);
 	}
 
 	/**