I’m testing the SAML authentication on a (docker based) instance of version 10.0.
The authentication is work basically. But, I faced some issues I would like to clarify.
Why a migration is needed for all users individually?
I’ve a server with more than 100 users. Do I really need to “curl” all users to /api/users/update_identity_provider manually?
The login identification seems to be case-sensitive. Is this really necessary and by design?
I have users in the system which are currently identified with a name like lukas but in the Azure AD they are named like Lukas.
Would it be possible to make the identification case-insensitive?
Why the email address is checked while login?
I have a local administrator (no SAML!) which I would like to configure with my personal email address.
The same email address is configured in my personal AD account.
If I have configured both SQ users with the same email address I cannot login anymore with SAML with the following error message:
This account is already associated with another authentication method.
Sign in using the current authentication method,
or contact your administrator to transfer your account to a different authentication method.
This is confusing because the configured identity is the domain user name (onpremisessamaccountname).
I started testing with version 9.9. There I configured the attribute http://schemas.microsoft.com/ws/2008/06/identity/claims/groups as “SAML group attribute”.
After migration to version 10.0 this attribute disapeared from configuration.
Why?
I’m trying to tell you that you’re “How about”-ing a feature that doesn’t exist. It will be more effective if you create a new thread for it in the Product Manager for a Day category.
What exactly is the question? You started with a statement: this setting disappeared. Then you asked whether I (personally?) think the property must not be configurable.
Are you having a problem or did your integration stop working?
I’m not so familiar with all the options of Azure AD. So, I’m not sure whether it could be possible, that the groups are configured in a different property than the default.
All other options, like email address - which is unexpected to be configured differently, are configurable.
For me, SAML is working fine. I added the question to ensure it is working fine for everyone.
My assumption is that the first implementation in 9.9 was the naive one, and the re-working was done after thorough study. So there’s probably not another option for groups. But if there is, I’m sure the users who can give solid use cases will speak up and tell us we messed up.
Just now I found out, that the configuration sonar.auth.saml.group.name is used from sonar.properties, but (anymore) available in the UI.
Without this setting the synchronization of user groups is not working.
So, the configuration is implemented und functioning but disappeared in the UI!?
