We first found this issue on SonarQube 7.9. Now upgraded to 8.2, but the issue is still there.
The issue is that we add different users to different groups and sometimes after few days, sometimes after first login users disappear from these groups.
Last what I tried is to upgrade to 8.2.
Then I added my AD (SAML enabled) account to become a part of sonar-administrators group.
Then I relog with my user account and find myself to be a part of sonar-users only.
Tested this with different browsers.
So the settings are saved. But first log in kicks you off.
I would recommend reviewing this very important section of our documentation on Delegated Authentication about Group Mapping.
When using group mapping, the following caveats apply regardless of which delegated authentication method is used:
- membership in synchronized groups will override any membership locally configured in SonarQube at each login
- membership in a group is synched only if a group with the same name exists in SonarQube
- membership in the default group sonar-users remains (this is a built-in group) even if the group does not exist in the identity provider
- When group mapping is configured, the delegated authentication source becomes the one and only place to manage group membership, and the user’s groups are re-fetched with each log in.
When group mapping is configured, the delegated authentication source becomes the one and only place to manage group membership, and the user’s groups are re-fetched with each log in.
If you have
sonar.auth.saml.group.name configured in your SAML settings, that means Group Mapping is enabled and users will be kicked out of local SonarQube groups when externally authenticated users login and groups are resynced. You should make sure to only assign permissions to groups that are defined in your identity provider.
Our IP is ADFS.
It does help. When I reset the sonar.auth.saml.group.name attribute I can stay in local groups after relog.
But you mentioned groups to be synced with SonarQube. Could you please provide with a documentation link on this?
Or explain in general how to auto-assign users to Portfolios. Based on an AD group.
Otherwise we have to do this all manually.
Thanks in advance.