Sub-admins cannot search disabled SAML users by display name or email

[hweihwang]

Steps to reproduce

1. Run Nextcloud 31.0.10 Enterprise with user_saml 7.0.0.
2. Create a sub-admin (delegated admin) who manages at least one group that comes from SAML provisioning.
3. Disable a user that belongs to that group.
4. Log in as the sub-admin, open Settings → Users, switch to “Disabled accounts”, and search for the user by display name or email.

Expected behaviour

The disabled account appears when searching by display name or email, matching the behaviour full admins get.

Actual behaviour

The search returns no results unless the sub-admin searches by the account name (UID). Full admins can find the same user via display name or email.

Analysis

• Sub-admins hit apps/provisioning_api/lib/Controller/UsersController.php:236, which delegates to each managed group’s searchUsers($search) and filters disabled users.
• For SAML groups, apps/user_saml/lib/GroupBackend.php:120 only applies the search term to uid. Display name and email are ignored, so the filtered list is empty unless the UID matches.
• Full admins bypass the group backend and use lib/private/User/Manager.php:292::getDisabledUsers(), where the search includes UID, display name, and email. That’s why they don’t experience the issue.

Environment

• Nextcloud 31.0.10 Enterprise (31.0.10.3)
• user_saml 7.0.0
• PHP 8.2.29, Apache 2.4.62, MySQL 10.11.10
• Browser: Chrome 141 (Windows 10)