OKTA SSO Integration with SonarQube 7.9.1.27448

OrangeQube · October 3, 2019, 6:40pm

I have the following SAML settings on both OKTA and SonarQube and SSO is “kinda” of working (Thanks @AlainODea). However, I am not sure how the grouping work. People are auto assign to “Sonar-Users” group when are first signed in to SonarQube. I have the following group created under AD/Okta and SonarQube and using the setting below.

Internal-sonarqube-admins
Internal-sonarqube-users

Where should I go to setup the correct grouping? Let say User A is assigned to Internal-sonarqube-admins AD/Okta group and that person should auto assign to Interna-sonarqube-admins group and have admin access.

Okta SSO related information:

Here are settings that work for Okta:

Single Sign-On URL https://sonarqube.example.com/oauth2/callback/saml 14
Audience Restriction: sonarqube

Attribute Statements

login = user.login
name = user.login
email = user.email

Group Attribute Statements

groups Starts with: example-internal:sonarqube-

Corresponding settings in SonarQube (https://sonarqube.example.com/admin/settings?category=saml 13)

sonar.auth.saml.applicationId = sonarqube
sonar.auth.saml.providerName = SAML
sonar.auth.saml.providerId = entityId from SAML metadata, aka Identity Provider Issuer URI
sonar.auth.saml.loginUrl = HTTP-POST binding location from SAML metadata, Identity Provider Single Sign-On URL
sonar.auth.saml.certificate.secured = X509Certificate text in KeyInfo use=signing from SAML metadata, X.509 Certificate
sonar.auth.saml.user.login = login
sonar.auth.saml.user.name = name
sonar.auth.saml.user.email = email
sonar.auth.saml.group.name = groups

julienlancelot · October 4, 2019, 2:12pm

Hi,

The group mapping is described here : https://docs.sonarqube.org/latest/instance-administration/delegated-auth/#header-4 (it’s working the sam way for all authentication system).

Group need to exist with the same name in SonarQube and Okta.

Regards

OrangeQube · October 4, 2019, 8:57pm

Oh I answer my own question.

Group Attribute Statements from the Okta’s side:

groups Starts with: internal:sonarqube-

That will bypass any groups under AD/Okta such as internal:sonarqube-users or internal:sonarqube-admins over to SonarQube grouping.

julienlancelot · October 7, 2019, 7:44am

Good news, thanks for sharing the solution of your issue !