Rancher Server Setup

• Rancher version: 2.8.5 (2.8.4 does not have this issue)
• Installation option (Docker install/Helm Chart): Helm
  • If Helm Chart, Kubernetes Cluster and version (RKE1, RKE2, k3s, EKS, etc): EKS
• Proxy/Cert Details: n/a

Information about the Cluster

• Kubernetes version: 1.28
• Cluster Type (Local/Downstream): local

User Information

• What is the role of the user logged in? not sure, probably doesn't matter

Describe the bug
Rancher fails to update a user's groups from SAML

To Reproduce

1. Configure Rancher with a SAML SSO provider
2. Log into Rancher as a user with some groups from the SSO provider
3. In the SSO provider, add an additional group to the user.
4. Log in to Rancher again.

Result
The user's groups do not change.

Expected Result
The user's groups should contain the newly added one.

Additional context
I believe (just from looking at the code, not directly tested) that this is due to the change in UserAttributeCreateOrUpdate, specifically moving the code that updates GroupPrincipals to before the call to m.userAttributeChanged causes that call to always return false, as it is now comparing two copies of the new groups, rather than old vs new.