I would recommend reviewing this very important section of our documentation on Delegated Authentication about Group Mapping.
Group Mapping
When using group mapping, the following caveats apply regardless of which delegated authentication method is used:
- membership in synchronized groups will override any membership locally configured in SonarQube at each login
- membership in a group is synched only if a group with the same name exists in SonarQube
- membership in the default group sonar-users remains (this is a built-in group) even if the group does not exist in the identity provider
- When group mapping is configured, the delegated authentication source becomes the one and only place to manage group membership, and the user’s groups are re-fetched with each log in.
When group mapping is configured, the delegated authentication source becomes the one and only place to manage group membership, and the user’s groups are re-fetched with each log in.
If you have sonar.auth.saml.group.name configured in your SAML settings, that means Group Mapping is enabled and users will be kicked out of local SonarQube groups when externally authenticated users login and groups are resynced. You should make sure to only assign permissions to groups that are defined in your identity provider.