In a nutshell, our SQEnterprise is integrated with Okta SCIM - Automatic provisioning. We have setup an “Admin” group & a “Okta-Users” group in Okta, and those groups are being properly seen in our Sonar instance.
When a user successfully logs in, they are removed (on the Sonar side) from the Okta created group and placed into sonar-users (Default).
Yes, the users are still in their respective Okta groups in the Okta dashboard.
No, the users (after login) are no longer visible in the Okta group in the Sonar Admin “/admin/groups”
Yes, all of the permissions assigned to that Okta-provisioned group are not applied to the user possibly because they are no longer a part of that group.
No, I cannot create groups with matching names, since that option is removed due to Okta Automatic provisioning.
Yes, any user that has not logged in yet, is still visible in Sonar admin as being a member of the Okta-provisioned group.
How do i get the users to stay in the Okta provisioned groups?
Could you share what is the value of SAML group attribute in Administration → Authentication → SAML → Just-in-Time user and group provisioning ?
If it’s not empty, could you set it to empty (and then change back to Automatic user and group provisioning with SCIM and click Save) and check if it fixes the problem?
Here is a screenshot of current state. The option is currently set to automatic provisioning, and the value on the JIT side was empty. Also, I highlighted the entry to make sure there were no empty characters or spaces.
Wojtek (I can’t @ since the system deems me a new user),
After some further digging, I’m now able to replicate both a working version & a non-working version.
If a user is added to the Okta group for the first time and that user logs in, their profile will migrate to the “default” Sonar user group and lose their Okta-SCIM group(s).
I disconnected the full Okta-SCIM implementation. This orphaned all of our existing accounts in Sonar, causing them to become “Local”. I deleted my test accounts manually and setup Okta-SCIM again, with no changes to the configuration. Brand new Sonar users added via SCIM continue to be placed into the “default” group. However, any user that was previously orphaned due to the Okta rebuild is keeping their SCIM group functionality and it is working appropriately. It is as if having had a “Local” account previously (deleted or current) caused the SCIM groups to work.
Even with the second scenario, the core automatic provisioning functionality remains broken.
As part of the onboarding process into the system, we configured only Okta authentication with SCIM via the admin account.
When we did the first group push to Sonar:
all of the groups from Okta appeared appropriately.
all of the users in these groups were added to “sonar-users”
all of the groups from Okta were empty even though the users were visible in “sonar-users”.
none of the permissions assigned to the Okta-based groups were available to users that are in that Okta group.
none of the accounts that were imported from Okta appeared with the “local” tag
I cannot manage any of the accounts or groups within Sonar, since auto-provisioning is enabled. See screenshot below.
For instance, we have an Okta based “Sonar-Administrators” group. When admins login, I see that their account is added to the “sonar-users” group, however they lose their association to “Sonar-Administrators” and the admin permissions that are assigned to that group. That Okta group is also completely empty of users.
Also - from situation #2 in the above post, users that have active “local” accounts in Sonar, or deleted “local” accounts in Sonar work normally and keep their Okta-Groups and permissions.
All users, aside from the built-in Admin, are imported via the Okta-SCIM implementation.
What you mention in the second half of your last post is exactly the issue.
All users are imported via the Okta-SCIM group. After import, the Sonar system removes the Okta group on the Sonar side from the user. Then the sonar-users group is added to the user. This entire process is automatic.
On the Okta side, the users remain in their groups, no changes have been made.
I would suggest walking through this via a screenshare to fully understand what is happening.
The Sonar platform is removing the Okta-SCIM group membership from the user even though that’s how the user was imported into Sonar in the first place.
Does that mean that you add the users to a group in Okta and assign this group to SonarQube application in Okta?
After import, the Sonar system removes the Okta group on the Sonar side from the user. Then the sonar-users group is added to the user.
Does that mean that, after provisioning, there is a time when a user is in the Okta provisioned group in SonarQube and not in sonar-users group, and then ,after some time, they are removed from Okta provisioned group and added to sonar-users?
Do you use the same group to assign users to SonarQube application and Push group memberships?
According to Okta docs this might be causing issues:
The following are the known Group Push limitations:
Using the same Okta group for assignments and for group push is not supported. To maintain consistent group membership between Okta and the downstream app, you need to create a separate group that is configured to push groups to the target app.
If this is the case, can you try using separate groups for assignments and pushing group membership and check if this works as expected?
We continue to have this problem, even after completely deleting & resetting all of the groups in Okta & Sonar.
We have 1 Okta group setup just for assignment to Sonar.
We have a second Okta group setup that represents just the admins needed for the group.
Adding users to the assignment group works 100% well, and users can login and use the system via the default “sonar-users” group permissions.
However, when I, for instance, look to apply administrator privileges via a group, the group membership appears in the admin interface until the user logs in. Once they login, their “Admin” “Push Group” membership disappears from the Sonarqube side.