OKA SSO admin users admin access -not staying associated to admin group

Hi Team,
We are facing this issue of admin access getting removed after the users logged in.
Say , i am an admin and login via okta sso, my admin rights are revoked after i logout from the application. To be more precise , the user is removed from the sonar administrators group.
We need to add them again to the group , to get them admin rights.
This is really frustrating , as no other option is available on the community so far or any specific setting .
we are using Just-in-Time user and group provisioning (default) with empty group name .Aslo we are using SAML(OKTA ) for SSO authentication. Need help to fix this issue ASAP

Hey there.

What version of SonarQube are you using? This information is requested in the template post.

version is 10.1

Thanks. That’s very odd – as I’m familiar with a similar bug on an earlier version of SonarQube.

Can you share a screenshot of your SAML config, specifically the empty group parameter?

Version is 10.0 . Also we haven’t change anything in soran.properties for SAMl, we just configured it UI as in the screenshot.

Okay, in that case, it looks similar to another bug that was fixed in 10.1 (SONAR-19194)

The only currently supported version of SonarQube v10.x is v10.3 – you should upgrade.

Hi Colin,
So , do we need to change the latest build wrapper in the pipelines , if we upgrade to 10.3 .

What will be the impact. I mean what will be the changes from 10.0 to 10. 3 for the development teams

The Upgrade Notes are a great place to start.


Hi Colin,
We have upgraded to 10.4.1 and still the issue is not resolved.
We are facing the issue of users being removed from groups after logout. We are really getting lot of pressure from different teams on this issue.

At this point, the most likely issue would be that either the group attribute you’re specifying is wrong, or the attribute doesn’t contain the information you think it does.

You’ll probably need to take a look at the SAML Response (which should be visible in your web.log file with DEBUG level logging turned on, global Administration > System > Log Level) to find out after initiating a login:

  • Is group information actually being returned in the SAML Response?
  • Is the value you’re supplying for sonar.auth.saml.group.name valid?