When an OpenID realm is configured with a groups-claim, group values from the token may contain characters that are valid in the identity provider's namespace (e.g. colons in eduPersonEntitlement URNs) but invalid in Proxmox group names.
Currently these groups are silently skipped with a syslog warning, leaving the user with no group membership even when a matching group exists. Unlike AD/LDAP realms where the source system's naming constraints naturally produce valid Proxmox group names, OIDC claims frequently originate from federated identity providers using URN- formatted attributes (e.g. eduPersonEntitlement) that are a standard part of higher-education identity infrastructure (Internet2/InCommon).
This was encountered integrating Proxmox with a Shibboleth OIDC bridge where groups are sent as eduPersonEntitlement values in the form:
urn:mace:college.edu:g:Service
roxmox:global_admins
The colons in the URN cause all groups to be silently dropped.
The fix is to add a `groups-sanitize` realm option (boolean, default false) that replaces any character not in [A-Za-z0-9._-] with a hyphen before validating and mapping the group name:
urn:mace:college.edu:g:Serviceroxmox:global_admins
→ urn-mace-college.edu-g-Service-proxmox-global_admins
Making it opt-in preserves existing behavior for all unaffected realms.
We validated this locally by patching /usr/share/perl5/PVE/API2/OpenId.pm to add the substitution before the verify_groupname call:
for my $group (@$groups_list) {
+ $group =~ s/[^A-Za-z0-9._-]/-/g;
if (PVE::AccessControl::verify_groupname($group, 1)) {
With groups-autocreate enabled, users authenticated via Shibboleth are correctly placed into sanitized groups and inherit their ACL permissions on the next login.
Currently these groups are silently skipped with a syslog warning, leaving the user with no group membership even when a matching group exists. Unlike AD/LDAP realms where the source system's naming constraints naturally produce valid Proxmox group names, OIDC claims frequently originate from federated identity providers using URN- formatted attributes (e.g. eduPersonEntitlement) that are a standard part of higher-education identity infrastructure (Internet2/InCommon).
This was encountered integrating Proxmox with a Shibboleth OIDC bridge where groups are sent as eduPersonEntitlement values in the form:
urn:mace:college.edu:g:Service
roxmox:global_adminsThe colons in the URN cause all groups to be silently dropped.
The fix is to add a `groups-sanitize` realm option (boolean, default false) that replaces any character not in [A-Za-z0-9._-] with a hyphen before validating and mapping the group name:
urn:mace:college.edu:g:Service
roxmox:global_admins→ urn-mace-college.edu-g-Service-proxmox-global_admins
Making it opt-in preserves existing behavior for all unaffected realms.
We validated this locally by patching /usr/share/perl5/PVE/API2/OpenId.pm to add the substitution before the verify_groupname call:
for my $group (@$groups_list) {
+ $group =~ s/[^A-Za-z0-9._-]/-/g;
if (PVE::AccessControl::verify_groupname($group, 1)) {
With groups-autocreate enabled, users authenticated via Shibboleth are correctly placed into sanitized groups and inherit their ACL permissions on the next login.
