When logging into the pritunl server using JumpCloud SSO the redirect from auth.pritunl.com only contains one group despite a user having multiple groups. In practice, what we’re seeing:
The POST request to
https://auth.pritunl.com/v1/callback/saml contains several groups:
...
<saml2:AttributeStatement>
<saml2:Attribute Name="groups"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">Group1</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">Group2</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
...
The response (with redirect), only contains one of the groups:
https://<host>/sso/callback?state=REDACTED&username=REDACTED&email=&org=&secondary=&groups=Group1&roles=&sig=REDACTED