Configured SAML sso with Entra, and when pressing the saml button on the login page I’m getting in.
The problem is that I want to manage the app with Group access. I’ve created matching groups on both Sonar and Entra, configured the claim in the SAML assertion, and… nada. Groups are not syncing.
Second thing is I can’t login to SonarQube when initiating the login form Entra. I’m either getting to the login page or getting a “You’re not authorised to view this page” prompt.
After spending multiple hours researching this “feature” online I found scarce information in third party forums that one of the links in the Entra config is incorrect.
It would be great if such things were documented.
Anyone any idea why are SAML groups not syncing?
Anyone any idea why sso from the login page is workign but not from the Identity Provider page?
What, if anything, shows up in your web.logserver log? You may need to enable DEBUG logging (briefly! DEBUG server logs get big, fast!) to see much of value.
You’re starting from Entra and trying to have it launch you into SonarQube? It doesn’t work that way.
HI Ann
Thanks for the tip on the group synchronisation. I wasn’t aware one has to enable the group sync separately. Based on previous experience this is usually just part of the assertion, and if the app takes it “it just works”.
Anyway, I’ve read the documentation, populated the groups value in the SAML config, and now it’s almost working. I’ve two groups in the directory, one for default users, one for admins. I’m a member of both, yet when I logged in via sso only one group was synced. Groups value is a combination field parsing any group matching a “Sonar-*” mask.
Initiating login from the identity provider is a standard practice, it’s possible regardless of if you have IdP or SP sso configured. I’ve dozens of apps workign this way, and this would be the go-to solution.
Whenever I try to do sso this way to my Sonar instance I’m getting a “You’re not authorised to see this page” but upon refresh end up with an authenticated session. Taking an educated guess it’s a landing page link that needs to be altered somewhere but I can’t put my finger on it. Any advice here greatly appreciated
I thought we were working on missing group sync. What’s synced - or not - should be reflected in your DEBUGweb.log.
Again, as Colin and I have both stated, SonarQube doesn’t work that way. You can’t launch into SonarQube starting from your IdP. Login must be initiated from SonarQube.
Holy smokes, it worked! Yaay!
I had my IdP login url set to https://<sq-url>/sessions/new?return_to=%2F
After comparing your results and modifying the url it worked! I’ve IdP sso for SonarQube from the app aggregation page (*MyApps)
This should land in the documentation somewhere.
I’m working on the log now.
As a reminder, the group sync is half-working. I’m a member of two SonarQube groups that are the same name both in Entra and in Sonar, but only one group is syncing. Logs to follow shortly.
[o.s.s.a.UserRegistrarImpl] List of groups returned by the identity provider '[SonarQube.App, SonarQube.App.admin]'
[o.s.s.u.NewUserNotifier] User created: <my-username>. Notifying NewUserHandler handlers...
This is from web.log. Clearly the assertion is passing down two group names as part of the groups claim, yet only one is being ingested into SonarQube.
Both groups exist in Sonar, case match.
Which group is being lost in the shuffle? Is it the longer one with two dots? I’m wondering if the dots are part of the problem. Do you have any group names without dots? And if so, how are they affected (or not)?
Also, this seems like the web log for a brand new user, but your redaction subs in ‘<my-username>’. What happens on subsequent login? Because groups should be synced at each login. And did you delete your user account for this log-demo? (User deletion is only a soft deletion, so this wasn’t an entirely new user if I’m right here.)
JIT as in just in time user provisioning enabled in Sonarqube configuration. This is a tickbox in the saml setup for Sonar, ensuring users are created automatically on first successful saml login.
I’ve only two groups for this: SonarQube.app and SonarQube.app.admin; only the admin one is syncing.
You’ve said the group names are spelled the same, including capitalization. I’d like to eliminate leading/trailing whitespace as a cause. Can you check the result of the /api/v2/authorizations/groups and make sure there’s no whitespace in the name?
Ann you were right all along.
While following your suggestion to eliminate any whitespaces I noticed that I’ve become a victim of the Microsoft Ecosystem where one of the group names got auto-capitalised therefore the synced group names were NOT equal when case sensitive.
After the group name was updated to be the same on both Sonar and Entra side everything worked like a charm.
Kudos for the patience and persistence, we got it!
