Learn more about the latest product updates at the Checkmk Conference #12 – live from June 16-17! Watch here
back to website

Werk #18380: LDAP: Background sync now updates SAML-authenticated users

Component Setup, site management
Title LDAP: Background sync now updates SAML-authenticated users
Date May 28, 2026
Level Prominent Change
Class New Feature
Compatibility Incompatible - Manual interaction might be required
Checkmk versions & editions
3.0.0b1
Not yet released 		Checkmk Pro, Checkmk Ultimate, Checkmk Cloud, Checkmk Ultimate MT

What changed

LDAP background sync now updates user attributes (email, contact groups, roles, alias) for users created via SAML authentication. Previously those users only received attribute updates at SAML login, so directory changes did not propagate between logins.

When the LDAP sync finds a directory entry whose username matches an existing SAML-owned user (matching is Checkmk UserId == LDAP username, no fuzzy fallback), it takes over the user: the connector field switches to the LDAP connection and LDAP becomes the authoritative source for that user's attributes. The attributes the SAML connection had set are dropped during takeover, so no stale SAML values survive when the LDAP connection does not re-provide them. The user can continue to sign in via SAML — login proceeds without modifying the profile.

Add the LDAP connection to the site's User attribute sync connections list under distributed monitoring to enable this. A SAML user with no matching LDAP entry is left unchanged.

Behaviour changes to be aware of

SAML login after takeover. Once an LDAP connector owns the user, subsequent SAML logins still authenticate but no longer overwrite the profile or reclaim the connector. Previously the SAML side would refuse the login with an internal User already exists for different connection error.

Deletion on LDAP removal. If a taken-over user is removed from LDAP, the next sync deletes the Checkmk user — the same behaviour LDAP has always had for users it owns. A subsequent SAML login creates a fresh user with only the basic SAML-mapped attributes.

ULTIMATEMT only: the customer attribute switches to the LDAP connector's customer when a user is taken over.

To the list of all Werks