JIT SSO Group Sync with Azure Entra — Unable to Map to Default Members Group

SonarQube Cloud
1

We have SSO configured on our SonarQube Cloud Enterprise account using Azure Entra (SAML/OIDC). SSO authentication is working, but we’re running into an issue with group synchronization.

Our setup:

  • Identity Provider: Azure Entra

  • Provisioning method: JIT (not SCIM)

  • Azure group name: SonarCloud sso

Issue: Users authenticating via SSO are not being automatically added to our SonarCloud organization. We initially tried mapping the Azure group to the default Members group in SonarCloud, but per the documentation, the Members group is explicitly excluded from JIT auto group sync.

Questions:

  1. Is there any supported way to use JIT sync to add users to the default Members group, or is SCIM the only path for that?

  2. For the workaround of creating a custom group named SonarCloud sso — do we need to configure anything specific in the Azure app registration (e.g. group claims in the token) for the name-matching to work?

  3. Are there any gotchas with Azure Entra specifically for JIT group sync that we should be aware of?

I also have a SonarCloud sso group setup on my Org under my Enterprise.

My enterprise is configured it seems. But no group claims are being returned.

2

Hi,

Welcome to the community and thanks for this report!

Have you created your groups on the SonarQube Cloud side? I believe capitalization (and obvs spelling) count.

 
Ann

3

My azure group is “SonarCloud sso” and in my org in sonarcloud not the enterprise there is a group name "SonarCloud sso". I did not see any group options the enterprise level

4

Hi,

Going back to your original post:

You can’t manage who’s in the Members group because, per the docs

Members group: This group contains all DevOps platform (DOP) users of the organization.

Now, this says “DevOps platform users” but I think it hasn’t been updated since we started doing SSO. Members is going to be everyone in your org.

So your users are in SonarCloud sso in your IdP, but they’re not being added to the group in SonarQube Cloud?

 
Ann

5

My user account is a member of the IDP group on my end. But in my org group there are zero users.

Also note that our org was originally setup with GitLab as sso, then we updated our license with sonar to an enterprise plan. The org is now under the enterprise, which that is where the SSO with my IDP is setup. When I access via SSO I get “Sorry, but we couldn’t verify your authorization to access this page.”. I can still login to my org with my gitlab account.

8

Hi,

This sounds like it might be a question of the SSO setup, rather than the group syncing. There should be a button in the UI to Test Connection. Does it show the connection as successful?

 
Ann

9

It does work

Confirmation message

"Testing complete!

Please return to the Self-Service Enterprise Configuration setup flow to enable the connection. You may close this tab."

jwt

{“user_id”: “REDACTED:connection-id|REDACTED:email”,“email”: “REDACTED:email”,“name”: “REDACTED:name”,“username”: “REDACTED:email”,“sessionIndex”: “REDACTED:session-index”,“tenantid”: “REDACTED:tenant-guid”,“objectidentifier”: “REDACTED:object-id-guid”,“identityprovider”: “https://sts.windows.net/REDACTED:tenant-guid/”,“authnmethodsreferences”: [“http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password”,“http://schemas.microsoft.com/claims/multipleauthn”],“nameIdAttributes”: {“value”: “REDACTED:email”,“Format”: “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”},“authenticationmethod”: “urn:oasis:names:tc:SAML:2.0:ac:classes:Password”,“issuer”: “https://sts.windows.net/REDACTED:tenant-guid/”,“provider”: “samlp”,“connection”: “REDACTED:connection-id”}
10

Hi,

I think it’s probably time for someone to check the back-end logs. I’m going to flag this for the folks with access.

 
Ann

15

@erikmillerkinective,

For the test connection JSON, I do not see the groups claim. Have you configured the groups attribute correctly in your IdP? Once you have fixed the groups claim, you can test the connection again and you should see the groups attribute (provided the user is member of at-least one group and the group is assigned to the application).

We have documentation about setting up the groups claim with Entra.

Thanks,
Sarath

16

That fixed the SSO issue. Thanks. Now my gitlab account and Entra account are seemingly merged, but I lost admin permissions it seems to both Org and Enterprise.

Confidentiality Notice: This email and any attachments are intended only for the recipient and may contain confidential and/or privileged information. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use, disclosure, or distribution is strictly prohibited.

17

Glad that your SSO issue is sorted out. What do you mean by the accounts got merged? Were you the enterprise admin on any of these logins? Essentially, you will be able to switch between the two and the permission will be preserved for the account you used to login.

Let’s say you were the enterprise admin using Azure login and you logged in with GitLab using the same email, you are now switching the email to be used in GitLab. Now you see that you may not have permissions to your Org/Enterprise. But once you login back with Azure, you should see the permission and it won’t be lost.

18

I was enterprise admin with my gitlab account that I was logging in with. After logging in with my Entra, I do not see any of the admin permissions I used to.

image.png3840×2064 381 KB

image.png478×1058 28.4 KB

Confidentiality Notice: This email and any attachments are intended only for the recipient and may contain confidential and/or privileged information. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use, disclosure, or distribution is strictly prohibited.

19

@erikmillerkinective

You need to login with Gitlab again to be the enterprise admin as we do not support account linking yet.

20

How can I make my Entra account the enterprise admin? I want to eventually deprecate my users from gitlab authentication for Enterprise and Orgs.

My gitlab account currently does.

image.png2440×998 144 KB

Confidentiality Notice: This email and any attachments are intended only for the recipient and may contain confidential and/or privileged information. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use, disclosure, or distribution is strictly prohibited.

21

@erikmillerkinective,

Since the original issue you reported is solved I suggest you to create a new post for the issue.

Anyways what I suggest is to do this since there is a single email being used for both accounts (Gitlab and Azure).

  1. Assign any other user (different email) to your enterprise org
  2. You login with Gitlab and assign this user as an enterprise and org admin
  3. You login to SonarQube Cloud with Azure DevOps login
  4. Ask this user, you assigned in step 1 to add your user (using email) to the org (which will add the AD user) and assign this user both the Org admin and Enterprise admin permission.

If you still need assistance, please create a new community post and the responsible team will assist you further.

Cheers,
Sarath