Issues while setting up SAML SSO with Microsoft Entra ID

  • ALM used (GitHub, Bitbucket Cloud, Azure DevOps) → Azure, Microsoft Entra ID
  • CI system used (Bitbucket Cloud, Azure DevOps, Travis CI, Circle CI → Azure DevOps
  • Error observed (wrap logs/code around with triple quotes ``` for proper formatting) →
    We have recently upgraded our existing SonarCloud subscription to Enterprise. We have created enterprise app inside Azure Portal and setup SSO SAML as per document (Transitioning to SAML SSO | SonarQube Cloud Documentation).
    When we are testing SSO, we are getting below issues:
    a) On Azure Portal, it displays message as “Microsoft Entra ID successfully issued a token (SAML Response) to the application. If you still can’t access application, you need to contact software vendor” and at the Sonarcloud side, we can see message as “Sorry, we couldn’t verify your authorization to access this page”
    b) When we try to login to Sonarcloud SSO url, it shows below message:
    “User uuid is not allowed to get enterprise uuid”

Also, there are few other queries:

  1. Should the user be assigned Enterprise, Organization and Project level permissions on SonarCloud before logging with SSO?
    We tried to assign permissions at Enterprise, Organization as well as Project level, still user is not able to see Organization and Project assigned
  2. As the initial organization was created using Azure DevOps login and after we upgraded to Enterprise version, is there any syncing issue which preventing us from showing the data
  3. If the user is new and not logged in single time as well, we cannot add that user as member inside Organization and assign permission. Is this the valid case?

Hello @akumbhar and welcome to our Community!
There seems to be an issue at the authorization level, probably with the groups configuration.
One thing I can suggest is to make sure that you have created groups at your SAC organization level that exactly match the names of groups in you enterprise application in Entra ID for the sync to happen successfully.

Hi Nour, thanks for your prompt reply. I tried adding respective Entra group to SQC and it worked.
Now the question is, Can I add individual users without any group or is it mandatory to create Entra group first and then add to SQC and then only user can login with SSO?

Hello @akumbhar - sorry for getting back to you this late
The only way to onboard SAML SSO users is through group synchronization. Every SAML user that you want to onboard to SQC must belong to at least one Entra group