Azure SAML & organization permissions

Hi everyone,

I’ve got a strange issue that I can’t seem to figure out. We have configured SAML authentication via Azure for our Grafana setup. Withing Grafana, we use organizations where certain engineers have access to certain organizations.

On a weekly basis, i get calls from engineers that they’re access rights on random orgs have disappeared (not all orgs, just some). I then have to set the access rights again.

For example, Engineer Ted has access to the graphs of org A (the main org), B, C and F. I set the rights and everything is ok. A few days later when Ted logs in again, the access rights for B and F have disappeared. Other times, the access rights for B, C and F are missing and he only has access to org A.

Ted always uses the same browser from the same laptop.

It almost looks like the user account in Grafana is being overwritten when the user logs in, but then you would think all of the permissions would be lost (which is not the case here).

When I start the debug log, i see the following entry when I log in:

lvl=dbug msg=“Removing user’s organization membership as part of syncing with OAuth login” logger=login.ext_user userId=2 orgId=7

That must be the reason, but how can i disable that?

Allright, it took me some time, but i managed to fix it.

I’ve switched from the Azure AD OAuth module to the Generic OAuth module. Here, we don’t have the issue :slight_smile: