From 03a4a2a9e9dfab75b529e9e43742343d7434f736 Mon Sep 17 00:00:00 2001
From: VishalDalwadi <dalwadivishal26@gmail.com>
Date: Tue, 24 Mar 2026 14:22:34 +0530
Subject: [PATCH] fix(go): skip delete and update superadmin on sync users;

---
 pro/auth/sync.go | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/pro/auth/sync.go b/pro/auth/sync.go
index 842eca5f..335d44e5 100644
--- a/pro/auth/sync.go
+++ b/pro/auth/sync.go
@@ -125,7 +125,7 @@ func SyncFromIDP() error {
 		}
 	}
 
-	err = syncUsers(idpUsers)
+	err = syncUsers(idpUsers, settings.AuthProvider == "")
 	if err != nil {
 		return err
 	}
@@ -134,7 +134,7 @@ func SyncFromIDP() error {
 	return err
 }
 
-func syncUsers(idpUsers []idp.User) error {
+func syncUsers(idpUsers []idp.User, removeIntegration bool) error {
 	dbUsers, err := (&schema.User{}).ListAll(db.WithContext(context.TODO()))
 	if err != nil {
 		return err
@@ -203,9 +203,10 @@ func syncUsers(idpUsers []idp.User) error {
 			// can be deleted.
 			_ = logic.DeletePendingUser(user.Username)
 		} else if dbUser.AuthType == schema.OAuth {
-			if dbUser.AccountDisabled != user.AccountDisabled ||
-				dbUser.DisplayName != user.DisplayName ||
-				dbUser.ExternalIdentityProviderID != user.ID {
+			if dbUser.PlatformRoleID != schema.SuperAdminRole &&
+				(dbUser.AccountDisabled != user.AccountDisabled ||
+					dbUser.DisplayName != user.DisplayName ||
+					dbUser.ExternalIdentityProviderID != user.ID) {
 
 				dbUser.AccountDisabled = user.AccountDisabled
 				dbUser.DisplayName = user.DisplayName
@@ -225,6 +226,10 @@ func syncUsers(idpUsers []idp.User) error {
 	for _, user := range dbUsersMap {
 		if user.ExternalIdentityProviderID != "" {
 			if _, ok := idpUsersMap[user.Username]; !ok {
+				if user.PlatformRoleID == schema.SuperAdminRole && !removeIntegration {
+					continue
+				}
+
 				// delete the user if it has been deleted on idp
 				// or is filtered out.
 				err = deleteAndCleanUpUser(user)