Onelogin + Sonarqube

Hello, I have a doubt, I’ve configured my Sonarqube with Onelogin using saml and it syncs the users fine but not the groups. I’ve activated the TRACE logs and it shows that the groups come as a big string with all google groups with this format: “[name=group1;name=group2]”. Shouldn’t the SAML Response come as “[group1, group2]”?

I’m using Enterprise Edition * Version 9.4 (build 54424)

Best Regards

Hi,

I’m not sure about the appropriate format - I’m going to assume that it’s being sent correctly and/or that we’ve already handled parsing it.

Have you enabled group synchronization? I believe this is done by setting the SAML group attribute.

 
Ann

1 Like

Hi Ann, yes I am:

I don’t know if there is any other way to parse the request as the format Onelogin is sending me :frowning:

Best Regards

Hi,

Okay, the first question is: do the groups exist - same spelling - in SonarQube? That’s a prereq. for synching: it’ll only sync membership in groups that already exist in SQ; it won’t create new groups.

If they do, it’s time to take a closer look at the server logs. You’ll need to crank the log level up to TRACE IIRC, log in, and then immediately reset the log level back to INFO (because the logs get big fast at that level). Then check the logging for your authentication and see if there’s anything helpful in there.

 
Ann

Hi Ann,

Yes I got the logs in TRACE and the groups are coming as a big string instead of a list for example:

“[name=group1;name=group2]”

and it should be “[group1,group2]”

Best Regards

Hi,

Sorry, you did start with the fact that you had the trace logs already. And can you confirm that the groups exist in SonarQube?

 
Ann

No problem :slight_smile: yes, the group exists on the string from the response from OneLogin:

List of groups returned by the identity provider “[name=group1;name=group2]”

and on Sonarqube created by me.

best regards

Hello @lmmc

How did you configure groups in parameter mappings in OneLogin?

Hey Jacek, thank you for your time! I’ve created 4 parameters:

login (type Email)
mail (type Email)
name (type First Name)
groups (type GoogleGroups (custom))

all these values comes with the right information besides groups which brings that weird format.

best regards

Thanks for sharing, is there any other method you can configure groups parameter?

SonarQube is expecting to have a group of names in a single attribute with several values like:

<Attribute Name="groups">
 <AttributeValue>group1</AttributeValue>
 <AttributeValue>group2</AttributeValue>
 <AttributeValue>group3</AttributeValue>
</Attribute>

Yes, I understand that is the format that he receives, unfortunately, OneLogin sends everything in one attribute with all groups :frowning: and I’m not an admin on that platform. It’s probably best to talk with them to change the way we send groups somehow! Thank you :slight_smile:

Best Regards

1 Like

I could finally make this work, I had to change to another attribute that had the same information, and now works great group mapping wise :smiley: Now I have another Issue which I hope you can help me with… When I’m logged in, if someone logs in as well I lose my login (my account even disappears from sonarqube) and I become logged with this person’s account :laughing:

It looks like, the login keeps my name (luis1234) but with this person’s name and email :thinking:

That’s a bit strange, is your mapping for sonar.auth.saml.user.login correct? Is the second user using an attribute value that is the same as the first one who is logging in?

Hey Jacek, glad to hear from you again! :slight_smile:

I’ve this configured, and on Onelogin Side I’ve used the Email type to fill this.

Is the second user have the same name or email address as your first user?

nop, the name and email is correct, but that ID near the name is mine:

image

and when the other user logs in:

image

In that case, is the login mapping on OneLogin side correct? If you enable trace or debug logs, how the user identity looks like for both of the users (If you enable TRACE you should be able to see a log like Attributes received : {} after successful login- please be careful to no share any sensitive information)?

The logs gives me this:

Attributes received : {name=[Sandra], login=[https://sonarqube.xxxxxxxx.com/], mail=[sandra.xxxxxxx@xxxxx.com], groups=[group1,group2]}

Should the login contain the sonarqube address? :thinking:

:joy: Definitely not, it should be a unique identifier from your SAML provider (it can be email address or something else which is unique for a user)