OKTA SSO Integration with SonarQube 7.9.1.27448

I have the following SAML settings on both OKTA and SonarQube and SSO is “kinda” of working (Thanks @AlainODea). However, I am not sure how the grouping work. People are auto assign to “Sonar-Users” group when are first signed in to SonarQube. I have the following group created under AD/Okta and SonarQube and using the setting below.

  • Internal-sonarqube-admins
  • Internal-sonarqube-users

Where should I go to setup the correct grouping? Let say User A is assigned to Internal-sonarqube-admins AD/Okta group and that person should auto assign to Interna-sonarqube-admins group and have admin access.

Okta SSO related information:

Here are settings that work for Okta:

Attribute Statements

  • login = user.login
  • name = user.login
  • email = user.email

Group Attribute Statements

groups Starts with: example-internal:sonarqube-

Corresponding settings in SonarQube (https://sonarqube.example.com/admin/settings?category=saml 13)

  • sonar.auth.saml.applicationId = sonarqube

  • sonar.auth.saml.providerName = SAML

  • sonar.auth.saml.providerId = entityId from SAML metadata, aka Identity Provider Issuer URI

  • sonar.auth.saml.loginUrl = HTTP-POST binding location from SAML metadata, Identity Provider Single Sign-On URL

  • sonar.auth.saml.certificate.secured = X509Certificate text in KeyInfo use=signing from SAML metadata, X.509 Certificate

  • sonar.auth.saml.user.login = login

  • sonar.auth.saml.user.name = name

  • sonar.auth.saml.user.email = email

  • sonar.auth.saml.group.name = groups

Hi,

The group mapping is described here : https://docs.sonarqube.org/latest/instance-administration/delegated-auth/#header-4 (it’s working the sam way for all authentication system).

Group need to exist with the same name in SonarQube and Okta.

Regards

1 Like

Oh I answer my own question.

Group Attribute Statements from the Okta’s side:

groups Starts with: internal:sonarqube-

That will bypass any groups under AD/Okta such as internal:sonarqube-users or internal:sonarqube-admins over to SonarQube grouping.

Good news, thanks for sharing the solution of your issue !