Why does group removal not work with the JIT connector?

Problem

When using the Just-in-Time (JIT) connector with User Sync (or JIT with SAML without UserSync), groups are not fully removed from a user if the user is removed from all groups in the Identity Provider (IdP).

Instead, one group always remains assigned, even though the IdP no longer shows the user as a member of any group.

This behavior is often mistaken for a bug.

Cause

This behavior is expected and intentional.

The JIT connector is designed in a way that absent attributes are not treated as empty attributes.

What happens technically?

• If a user has at least one group in the IdP:

  • The IdP sends the group attribute.

  • The JIT connector updates the user’s group memberships accordingly.

• If the user is removed from all groups in the IdP:

  • The IdP does not send the group attribute at all.

  • The JIT connector interprets this as “attribute not present”, not as “attribute present but empty”.

  • As a result, the JIT connector does not delete or clean up existing group assignments on the user.

This explains why the last remaining group is never removed.

Resolution / Workaround

You can work around this behavior by ensuring that the group attribute is always present during a JIT update.

Configure “Always Assign Users to Certain Groups”

1. Open the User Sync configuration.

2. Configure the option:
   Always Assign Users to Certain Groups

3. Select one dedicated group that:

   • Grants no permissions

   • Is not used for project or application access

Why does this work?

• When this option is configured:

  • The group attribute is always included in the update request.

  • Even if the IdP sends no groups, the update will still contain:

    • At least the always-assigned group

• From the JIT connector’s perspective:

  • The group attribute is now present (not absent)

  • All other groups can safely be removed

  • Only the always-assigned group remains

This allows group cleanup to work as expected.