diff --git a/forge/db/migrations/20251006-01-fix-sso-group-type.js b/forge/db/migrations/20251006-01-fix-sso-group-type.js
new file mode 100644
index 0000000000..313c5e0a92
--- /dev/null
+++ b/forge/db/migrations/20251006-01-fix-sso-group-type.js
@@ -0,0 +1,44 @@
+/**
+ * Change column type
+ */
+
+const { DataTypes } = require('sequelize')
+
+module.exports = {
+    up: async (context, Sequelize) => {
+        const dialect = context.sequelize.options.dialect
+        if (dialect === 'sqlite') {
+            // For SQLITE, we need to avoid triggering cascading deletes due to the way it does column changes
+            const sqlFind = "select sql from SQLITE_MASTER where name = 'Users' and type = 'table';"
+            const [results] = await context.sequelize.query(sqlFind)
+            if (results.length === 0) {
+                return // Nothing to do
+            }
+
+            // Check if the DDL is as expected already
+            const ddl = results[0].sql
+            const re = /(`SSOGroups`[^,]+?VARCHAR\(255\))/.exec(ddl)
+            if (!re || re.length < 2) {
+                return // Nothing to do
+            }
+
+            // create new column definition
+            const currentColDef = re[1]
+            const newColDef = currentColDef.replace('VARCHAR(255)', 'TEXT')
+
+            // update the table with the new column definition
+            await context.sequelize.query('pragma writable_schema=1;')
+            const sqlUpdate = `update SQLITE_MASTER set sql = replace(sql, '${currentColDef}', '${newColDef}') where name = 'Users' and type = 'table';`
+            context.sequelize.query(sqlUpdate)
+            await context.sequelize.query('pragma writable_schema=0;')
+        } else {
+            // For Postgres, we can use changeColumn directly.
+            await context.changeColumn('Users', 'SSOGroups', {
+                type: DataTypes.TEXT,
+                allowNull: true
+            })
+        }
+    },
+    down: async (useContext, Sequelize) => {
+    }
+}
diff --git a/forge/db/models/User.js b/forge/db/models/User.js
index 0e4e0c941e..86f29680e5 100644
--- a/forge/db/models/User.js
+++ b/forge/db/models/User.js
@@ -44,7 +44,7 @@ module.exports = {
             defaultValue: false
         },
         SSOGroups: {
-            type: DataTypes.STRING,
+            type: DataTypes.TEXT,
             allowNull: true,
             get () {
                 const rawValue = this.getDataValue('SSOGroups')
diff --git a/forge/ee/routes/sso/auth.js b/forge/ee/routes/sso/auth.js
index 4e13c9a92f..ba75eec1ef 100644
--- a/forge/ee/routes/sso/auth.js
+++ b/forge/ee/routes/sso/auth.js
@@ -100,13 +100,17 @@ module.exports = fp(async function (app, opts) {
                         return
                     }
                 }
-                if (providerOpts.exposeGroups) {
-                    // get SAML groups
-                    user.SSOGroups = app.sso.getUserGroups(samlUser, user, providerOpts)
-                    await user.save()
-                } else {
-                    user.SSOGroups = null
-                    await user.save()
+                try {
+                    if (providerOpts.exposeGroups) {
+                        // get SAML groups
+                        user.SSOGroups = app.sso.getUserGroups(samlUser, user, providerOpts)
+                        await user.save()
+                    } else {
+                        user.SSOGroups = null
+                        await user.save()
+                    }
+                } catch (err) {
+                    app.log.error(`SAML SSOGroups error: ${err.toString()} ${err.stack}`)
                 }
                 done(null, user)
             } else {