Hi guys,
With SAML configured we have a situation when before adding a user to a new group new users have to login to the portal once, so their account would appear in the database.
So if we add a new Team with 10 users I first would need to ask then to login once, then I could find them all in the list and update the membership.
This is not very convenient of course.
Can you suggest a better way to authenticate against AAD and automate the process?
Thanks.
Hey there.
Have you considered also syncing groups to SonarQube (see the documentation on Group Mapping). This means that as long as a group is created in SonarQube that matches a group being sent by your authentication provider, a user will be added to the necessary groups when logging in for the first time.
Sorry for the delay Colin. Was waiting for our infra guys.
So I have a group configured in SonarQube.
I have the same group configured in AD (which is our IP. Sorry for confusion above).
I added myself to the group in AD and on SQ portal.
After first login I see myself a part of Users grp only.
SAML group attribute (sonar.auth.saml.group.name) is configured with “http://schemas.xmlsoap.org/claims/Group”
If I reset this record my users keep manually assigned groups.
But as you can see above, with this feature configured my users lose all their groups.
Please advise on how I can troubleshoot this.
Thanks.
Also FYI, we gave the following ADFS settings:
AllowedAuthenticationClassReferences : {}
EncryptionCertificateRevocationCheck : CheckChainExcludeRoot
PublishedThroughProxy : False
SigningCertificateRevocationCheck : CheckChainExcludeRoot
WSFedEndpoint :
AdditionalWSFedEndpoint : {}
ClaimsProviderName : {Active Directory}
ClaimsAccepted : {}
EncryptClaims : True
Enabled : True
EncryptionCertificate :
Identifier : {XXX}
NotBeforeSkew : 0
EnableJWT : False
AlwaysRequireAuthentication : False
Notes :
OrganizationInfo :
ObjectIdentifier : c-8
ProxyEndpointMappings : {}
ProxyTrustedEndpoints : {}
ProtocolProfile : WsFed-SAML
RequestSigningCertificate : {}
EncryptedNameIdRequired : False
SignedSamlRequestsRequired : False
SamlEndpoints : {Microsoft.IdentityServer.Management.Resources.SamlEndpoint}
SamlResponseSignature : AssertionOnly
SignatureAlgorithm : http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
TokenLifetime : 0
AllowedClientTypes : Public
IssueOAuthRefreshTokensTo : NoDevice
RefreshTokenProtectionEnabled : True
RequestMFAFromClaimsProviders : False
ScopeGroupId :
Name : XXX
AutoUpdateEnabled : False
MonitoringEnabled : False
MetadataUrl :
ConflictWithPublishedPolicy : False
IssuanceAuthorizationRules : @RuleTemplate = “AllowAllAuthzRule”
=> issue(Type = “http://schemas.microsoft.com/authorization/claims/permit”, Value = “true”);
IssuanceTransformRules : @RuleTemplate = “LdapClaims”
@RuleName = “SonarQube Userclaims”
c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”, Issuer == “AD AUTHORITY”]
=> issue(store = “Active Directory”, types = (“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”,
“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name”,
“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”,
“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”, “http://schemas.xmlsoap.org/claims/Group”), query =
“;userPrincipalName,displayName,mail,sAMAccountName,tokenGroups;{0}”, param = c.Value);
DelegationAuthorizationRules :
LastPublishedPolicyCheckSuccessful :
LastUpdateTime : 1/1/1900 1:00:00 AM
LastMonitoredTime : 1/1/1900 1:00:00 AM
ImpersonationAuthorizationRules :
AdditionalAuthenticationRules :
AccessControlPolicyName :
AccessControlPolicyParameters :
ResultantPolicy :
Could you specify the parameter that has to be modified?
Thanks.