Okta SCIM provisioning for new SonarQube Enterprise Environment

Must-share information (formatted with Markdown):

  • SonarQube Enterprise 10.1.0.73491
  • Fargate
  • User permissions to be applied using the Okta SCIM created groups
  • what have you tried so far to achieve this

Hi All,

In a nutshell, our SQEnterprise is integrated with Okta SCIM - Automatic provisioning. We have setup an “Admin” group & a “Okta-Users” group in Okta, and those groups are being properly seen in our Sonar instance.

When a user successfully logs in, they are removed (on the Sonar side) from the Okta created group and placed into sonar-users (Default).

  • Yes, the users are still in their respective Okta groups in the Okta dashboard.
  • No, the users (after login) are no longer visible in the Okta group in the Sonar Admin “/admin/groups”
  • Yes, all of the permissions assigned to that Okta-provisioned group are not applied to the user possibly because they are no longer a part of that group.
  • No, I cannot create groups with matching names, since that option is removed due to Okta Automatic provisioning.
  • Yes, any user that has not logged in yet, is still visible in Sonar admin as being a member of the Okta-provisioned group.

How do i get the users to stay in the Okta provisioned groups?

Hi @chadzynski,

Could you share what is the value of SAML group attribute in Administration → Authentication → SAML → Just-in-Time user and group provisioning ?
If it’s not empty, could you set it to empty (and then change back to Automatic user and group provisioning with SCIM and click Save) and check if it fixes the problem?

Good Morning Wojtek,

Here is a screenshot of current state. The option is currently set to automatic provisioning, and the value on the JIT side was empty. Also, I highlighted the entry to make sure there were no empty characters or spaces.

EDIT: no change in useability.

Wojtek (I can’t @ since the system deems me a new user),

After some further digging, I’m now able to replicate both a working version & a non-working version.

Situation #1:
If a user is added to the Okta group for the first time and that user logs in, their profile will migrate to the “default” Sonar user group and lose their Okta-SCIM group(s).

Situation #2:
I disconnected the full Okta-SCIM implementation. This orphaned all of our existing accounts in Sonar, causing them to become “Local”. I deleted my test accounts manually and setup Okta-SCIM again, with no changes to the configuration. Brand new Sonar users added via SCIM continue to be placed into the “default” group. However, any user that was previously orphaned due to the Okta rebuild is keeping their SCIM group functionality and it is working appropriately. It is as if having had a “Local” account previously (deleted or current) caused the SCIM groups to work.

Even with the second scenario, the core automatic provisioning functionality remains broken.

Hi @chadzynski

When you mention that users

will migrate to the “default” Sonar user group

Does that mean that those users are not part of sonar-users group before they login? That would be unexpected, because sonar-users should contain all users that are in a given SonarQube instance.

Do you have any other authentication providers enabled on your instance apart from SAML?

Hi Wojtek,

As part of the onboarding process into the system, we configured only Okta authentication with SCIM via the admin account.

When we did the first group push to Sonar:

  • all of the groups from Okta appeared appropriately.
  • all of the users in these groups were added to “sonar-users”
  • all of the groups from Okta were empty even though the users were visible in “sonar-users”.
  • none of the permissions assigned to the Okta-based groups were available to users that are in that Okta group.
  • none of the accounts that were imported from Okta appeared with the “local” tag
  • I cannot manage any of the accounts or groups within Sonar, since auto-provisioning is enabled. See screenshot below.

For instance, we have an Okta based “Sonar-Administrators” group. When admins login, I see that their account is added to the “sonar-users” group, however they lose their association to “Sonar-Administrators” and the admin permissions that are assigned to that group. That Okta group is also completely empty of users.

Also - from situation #2 in the above post, users that have active “local” accounts in Sonar, or deleted “local” accounts in Sonar work normally and keep their Okta-Groups and permissions.

Hi @chadzynski ,
In your latest post you wrote:

which sounds like the users were never members of the Okta managed group in SonarQube.

In the first post, you wrote:

When a user successfully logs in, they are removed (on the Sonar side) from the Okta created group and placed into sonar-users (Default).

The user is provisioned and the user has correct group memberships in Okta managed groups and on login, the user gets removed from the Okta managed groups and remains only in sonar-users group.

Can you clarify for me which is the case, especially, whether the users were actually correctly placed in the groups in the first place?

Hi Wojtek,

All users, aside from the built-in Admin, are imported via the Okta-SCIM implementation.

What you mention in the second half of your last post is exactly the issue.

All users are imported via the Okta-SCIM group. After import, the Sonar system removes the Okta group on the Sonar side from the user. Then the sonar-users group is added to the user. This entire process is automatic.

On the Okta side, the users remain in their groups, no changes have been made.

I would suggest walking through this via a screenshare to fully understand what is happening.

tldr:
The Sonar platform is removing the Okta-SCIM group membership from the user even though that’s how the user was imported into Sonar in the first place.

Hi @chadzynski,

Just a couple more clarifying questions:

All users are imported via the Okta-SCIM group.

Does that mean that you add the users to a group in Okta and assign this group to SonarQube application in Okta?

After import, the Sonar system removes the Okta group on the Sonar side from the user. Then the sonar-users group is added to the user.

Does that mean that, after provisioning, there is a time when a user is in the Okta provisioned group in SonarQube and not in sonar-users group, and then ,after some time, they are removed from Okta provisioned group and added to sonar-users?

Do you use the same group to assign users to SonarQube application and Push group memberships?

According to Okta docs this might be causing issues:

The following are the known Group Push limitations:

  • Using the same Okta group for assignments and for group push is not supported. To maintain consistent group membership between Okta and the downstream app, you need to create a separate group that is configured to push groups to the target app.

If this is the case, can you try using separate groups for assignments and pushing group membership and check if this works as expected?

Hi @wojtek.wajerowicz,

We continue to have this problem, even after completely deleting & resetting all of the groups in Okta & Sonar.

We have 1 Okta group setup just for assignment to Sonar.

We have a second Okta group setup that represents just the admins needed for the group.

Adding users to the assignment group works 100% well, and users can login and use the system via the default “sonar-users” group permissions.

However, when I, for instance, look to apply administrator privileges via a group, the group membership appears in the admin interface until the user logs in. Once they login, their “Admin” “Push Group” membership disappears from the Sonarqube side.

Hi @chadzynski,
We’ve recently released SonarQube version 10.2. Could you try upgrading and checking if this is reproducible with the latest version?

@wojtek.wajerowicz - Thank you for pointing us at 10.2.

After the upgrade, we pushed the “admin” group, and saw that all users within that group were properly synced, all users in Okta were appearing in Sonar.

Once one of those users logged into the system, they were removed from the group automatically upon login. We are able to confirm that the users are still present in the group within Okta.

At this point in time we are manually assigning permissions per user, manually, since the group permission assignment “feature” has users being removed from the group.

Unfortunately, we could not reproduce this issue with a similar setup.
At this point, we’re not able to investigate this issue any further.