問題

Crowd is configured to automatically add users to a group when they log in to a connected application.  However, if the user has had their group membership revoked, the auto-add action does not work if they log in again.

Steps to reproduce

• In Crowd 3.1 or later, configure Crowd to grant group membership to a specific group upon authenticating in an application (like Confluence or Jira)

• Log in to the connected application with a user

• Back in Crowd, confirm the group was added.

• Remove the user's membership from that group
• Have the user re-authenticate to the connected application.
• The group will not be re-added in Crowd

原因

When performing the action to automatically add a user to a group, Crowd also adds an attribute to that user:

The autoGroupsAdded.app.XXXXXXX attribute means that the automatic group addition has run for this user for the application with the ID of XXXXXXX.  You can confirm your application's ID by going to the Applications page in Crowd, and clicking on the application.  You will see the page that is loaded has a URL ending in {{viewdetails.action?ID=XXXXXXX}}.  This ID should match the ID in the user attribute previously noted.

When this user logs in to the application with the above ID, Crowd looks to see if this attribute exists and is set to true.  If so, it will skip the auto group add process.

回避策

To get the auto group add process to run again for this user, simply remove the autoGroupsAdded attribute, or set it to false.  Either way will allow the process to run for this user next time they authenticate against this application.