We first found this issue on SonarQube 7.9. Now upgraded to 8.2, but the issue is still there.
The issue is that we add different users to different groups and sometimes after few days, sometimes after first login users disappear from these groups.
Last what I tried is to upgrade to 8.2.
Then I added my AD (SAML enabled) account to become a part of sonar-administrators group.
Then I relog with my user account and find myself to be a part of sonar-users only.
Tested this with different browsers.
So the settings are saved. But first log in kicks you off.
Please advise.
I would recommend reviewing this very important section of our documentation on Delegated Authentication about Group Mapping.
Group Mapping
When using group mapping, the following caveats apply regardless of which delegated authentication method is used:
membership in synchronized groups will override any membership locally configured in SonarQube at each login
membership in a group is synched only if a group with the same name exists in SonarQube
membership in the default group sonar-users remains (this is a built-in group) even if the group does not exist in the identity provider
When group mapping is configured, the delegated authentication source becomes the one and only place to manage group membership, and the user’s groups are re-fetched with each log in.
When group mapping is configured, the delegated authentication source becomes the one and only place to manage group membership, and the user’s groups are re-fetched with each log in.
If you have sonar.auth.saml.group.name configured in your SAML settings, that means Group Mapping is enabled and users will be kicked out of local SonarQube groups when externally authenticated users login and groups are resynced. You should make sure to only assign permissions to groups that are defined in your identity provider.
Thanks Colin.
Our IP is ADFS.
It does help. When I reset the sonar.auth.saml.group.name attribute I can stay in local groups after relog.
But you mentioned groups to be synced with SonarQube. Could you please provide with a documentation link on this?
Or explain in general how to auto-assign users to Portfolios. Based on an AD group.
Otherwise we have to do this all manually.
Thanks in advance.
When group mapping is configured, the delegated authentication source becomes the one and only place to manage group membership, and the user’s groups are re-fetched with each log in.