Meeting mapper condition using groups results in error

[Airfooox]

Describe the bug
We are trying to use a user's LDAP groups (via SAML) to map access to certain meetings in OpenSlides. Specifically, we want to check if the user belongs to a particular group and then assign them to the corresponding meeting. However, when we configure the mapper to look for a specific group (e.g., bv-team-it), the user is unable to authenticate, and we receive an error.

How to Reproduce
We have set up a minimal configuration to test this concept:

"meeting_mappers": [
      {
         "name": "test",
         "external_id": "weissdochauchnicht",
         "conditions": [
            {
               "attribute": "member",
               "condition": "bv-team-it"
            }
         ],
         "mappings": {
            "groups": [
               {
                  "attribute": "member",
                  "default": "Standard"
               }
            ]
         }
      }
   ],

We use Keycloak as our IdP. The SAML response (with personal data removed) looks like this:

<saml:Attribute Name="member-list" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ar-schiedsrichter</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="member-list" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">bv-team-datenschutz</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="member-list" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">bv-team-it</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="member-list" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">bv-team-it-leitung</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="member-list" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">bv-team-website</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="member-list" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">it-role-mailcow-login</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="member-list" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">lv-sn-mitglied</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="member-list" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">lv-th-schiedsgericht</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="member" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ar-schiedsrichter</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">bv-team-datenschutz</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">bv-team-it</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">bv-team-it-leitung</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">bv-team-website</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">it-role-mailcow-login</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">lv-sn-mitglied</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">lv-th-schiedsgericht</saml:AttributeValue>
</saml:Attribute>

We have tried both the member and member-list attributes (toggling single-member-list off), but neither works. When using member as the attribute with the condition set to "bv-team-it", we see the following error upon login:

{
"message": "Authentication failed! Server could not save user."
}

in the /system/saml/acs path.

We also tried it with a hardcoded attribute, but that failed aswell.

Expected behavior
We expected it to work as indicated in https://github.com/OpenSlides/openslides-backend/blob/main/docs/actions/user.save_saml_account.md with the function attribute to check for the user groups.

(If this was not expected behavior from the beginning, I'm sorry for submitting this as a bug report and would like for this issue to be treated as a feature request instead.)

System information

• OpenSlides version: 4.2.1
• KeyCloak as IdP
• LDAP user groups

[Elblinator]

You are trying to call a attribute (member) which is a list. This however is not possible in our program bc the attibute is supposed to be a variable.

We will use your issue for the feature and move it to the backend :)