Problem:
- LDAP Authentication Source configured for Okta (using LDAP in Okta, not an SSO app)
- validated user/group lookup all succeed
- create a User Group
foreman_admins, checked the “Administrator” option and linked and external group and refreshed it
UserA is in the external group
When UserA logs into foreman they are granted 0 rights. They can log in, but not do anything.
Using a local admin user:
If you navigate to Administer → User Groups → foreman_admins and look under the “User Group” tab, UserA shows up in the “Users” panel, but not in the “Selected Items” panel.
If you refresh the external group UserA is then moved to “Selected Items” and has admin level and can navigate around the foreman UI.
However, when UserA logs out and back in the sequence repeats itself. Sure, I could schedule the foreman-rake ldap:refresh_usergroups job every minute, but that doesn’t seem right.
Expected outcome:
Expected that once the user is added to “Selected Items” they will remain there
Foreman and Proxy versions:
foreman-proxy-3.14.0-1.el9.noarch
foreman-3.14.0-1.el9.noarch
Foreman and Proxy plugin versions:
foreman-proxy-3.14.0-1.el9.noarch
foreman-3.14.0-1.el9.noarch
Distribution and version:
Rocky Linux 9.6
Other relevant data:
Will it still happen if you uncheck the “Usergroup sync” checkbox for that particular auth source?
Would you happen to know what sort of schema Okta uses and which attributes are used to model the usergroup membership?
unchecking that box does allow subsequent logins to work. The initial login is still role-less until the automated group sync runs from cron (which it does mention on that checkbox), so this might be the only path forward
I really don’t know which schema Okta uses 
Thanks, though, this does help. Right now our login activity on foreman is pretty minimal so it won’t be a major impact, and is only for the initial login
I found a doc to enable debug logging and here are the results WITH the Usergroup Sync box checked. It’s definitely different output from when I click the “refresh” button on the external group
2025-06-12T13:30:44 [D|app|d7bc7831] Updating user groups for user user@example.com
2025-06-12T13:30:44 [D|lda|d7bc7831] op bind (545.1ms) [ result=success ]
2025-06-12T13:30:45 [D|lda|d7bc7831] op search (595.7ms) [ filter=, base= ]
2025-06-12T13:30:45 [D|lda|d7bc7831] op search (829.5ms) [ filter=(uid=user@example.com), base=ou=users, dc=foobar, dc=okta, dc=com ]
2025-06-12T13:30:46 [D|lda|d7bc7831] op search (647.8ms) [ filter=, base= ]
2025-06-12T13:30:46 [D|lda|d7bc7831] group_list (2619.7ms) [ user=user@example.com ]
2025-06-12T13:30:46 [I|aud|d7bc7831] User (12) update event on usergroup_ids 5,
2025-06-12T13:30:46 [D|app|d7bc7831] Post-login processing for user@example.com
2025-06-12T13:30:46 [I|app|d7bc7831] User 'user@example.com' logged in from 'xx.xx.xx.xx'
2025-06-12T13:30:46 [D|tax|d7bc7831] Current organization set to none
2025-06-12T13:30:46 [D|tax|d7bc7831] Current location set to none
2025-06-12T13:30:46 [I|app|d7bc7831] Redirected to https://foreman.mydomain.com/
2025-06-12T13:30:46 [I|app|d7bc7831] Completed 302 Found in 8084ms (ActiveRecord: 58.1ms | Allocations: 51664)
2025-06-12T13:30:46 [I|app|970eb19a] Started GET "/" for xx.xx.xx.xx at 2025-06-12 13:30:46 +0000
2025-06-12T13:30:46 [I|app|970eb19a] Processing by DashboardController#index as HTML
2025-06-12T13:30:46 [D|tax|970eb19a] Current location set to MY_LOCATION
2025-06-12T13:30:46 [D|tax|970eb19a] Current organization set to MY_ORG
2025-06-12T13:30:46 [D|app|970eb19a] Rendering layout layouts/application.html.erb
2025-06-12T13:30:46 [D|app|970eb19a] Rendering common/403.html.erb within layouts/application
2025-06-12T13:30:46 [I|app|970eb19a] Rendered common/403.html.erb within layouts/application (Duration: 2.2ms | Allocations: 614)
2025-06-12T13:30:46 [D|app|970eb19a] Rendered layouts/_application_content.html.erb (Duration: 0.9ms | Allocations: 446)
2025-06-12T13:30:46 [D|app|970eb19a] Rendering layouts/base.html.erb
2025-06-12T13:30:46 [I|app|970eb19a] Rendered layouts/base.html.erb (Duration: 33.7ms | Allocations: 20497)
2025-06-12T13:30:46 [I|app|970eb19a] Rendered layout layouts/application.html.erb (Duration: 38.5ms | Allocations: 22192)
2025-06-12T13:30:46 [I|app|970eb19a] Filter chain halted as :authorize rendered or redirected
2025-06-12T13:30:46 [I|app|970eb19a] Completed 403 Forbidden in 71ms (Views: 39.1ms | ActiveRecord: 7.3ms | Allocations: 31196)
