Hello, how are you?
I’m deploying SAML for SSO for Entra ID (Free) with Sonarqube Community Build v25.3.0.104237.
It runs on an Azure VM using Docker Compose.
I configured SAML and it worked, but it’s not synchronizing groups. All logged-in users are assigned only to the sonar-users group.
Follow this documentation:
What could it be? Is there an API to add users to groups within Sonarqube?
Hey there.
First things first, only the latest version of SonarQube Community Build is considered active.
Your update path is:
25.3 → 25.9
You may find these resources helpful:
Secondly, group sync requires three things:
Are all three of these things true?
Thanks for the feedback, @Colin.
So, when I follow the documentation settings, the information related to groups comes up with this error:
Mapping not found for the property sonar.auth.saml.group.name, the field http://schemas.microsoft.com/ws/2008/06/identity/claims/groups is not available in the SAML response.
I think the empty response is because my Entra ID is free and doesn’t allow assigning groups to the Enterprise Application. Could that be the reason?
Groups are not available for assignment due to your Active Directory plan level. You can assign individual users to the application.
I think the empty response is because my Entra ID is free and doesn’t allow assigning groups to the Enterprise Application. Could that be the reason?
If it’s because of the Entra ID’s Free Tier, is there another way to do this?
After some testing, I managed to do it in this Enterprise configuration. But I have to create the groups in Sonarqube using their IDs Groups in Azure.
There isn’t a different Group Attribute you can choose here? What else is in the dropdown?
Hey there.
Based on the docs it looks likes it’s expected that Security Groups only returns IDs.
Security groups Emits security groups that the user is a member of in the groups claim. If the user is assigned directory roles, they’re emitted as object ID.
You may want to try the other options – like “All groups” or “Directory roles” to see if that makes a difference, or tick “Emit gropu name for cloud-only groups”.
(I would test this, but I don’t have an Azure AD setup on hand)
