Version
SonarQube 9.1.0.47736
What are you trying to achieve:
I have SAML configured and working, but user AD groups in the SAML won’t sync with SonarQube groups (users are only added to sonar-users group).
What have you tried so far to achieve this:
- Configured SAML login (with ADFS) and users can login succesfully
- Created groups in SonarQube with exact same name as groups in SAML message
Expectation
After login, the user should be a member of the groups in SonarQube that are also in the SAML groups list.
Analysis so far
I’ve looked at the log and found that there are no groups returned by the identity provider when a users succesfully logs in:
2021.10.25 19:01:35 DEBUG web[AXy4Ynwl5mgB71KeAABV][o.s.s.a.UserRegistrarImpl] List of groups returned by the identity provider '[]'
I’ve found the implementation on the internet and this would explain my problem. Because it only executes the syncgroups code if this list is populated.
But I don’t understand why it’s empy. Af few lines before this in the logging it prints out the SAML response attributes and it identifies the groups correctly (data is obfuscated). This also matches the saml perfectly I caught in the browser for this user. I would expect the groups in the logging above:
2021.10.25 19:01:35 DEBUG web[AXy4Ynwl5mgB71KeAABV][c.o.s.a.SamlResponse]
SAMLResponse has attributes: {
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=[Sonarcube, User (U.)],
http://schemas.xmlsoap.org/claims/Group=[Domain Users, AllUsers, DisableClientDrives,
InputLanguagexxxxxx, KeyboardUnitedStatesInternational, Languagexxxxxx,
Localexxxxxx, Locationxxxxxxxxxx, PrinterConnect, RequestRemoteAssistance,
SpellcheckLanguagexxxxxx, TerminalServerMaxDisconnected60min,
TerminalServerMaxIdle60min, AllCustomers@ApplicationNet, AllUsers_xxxxx,
DisableClient_xxxxx, Languagexxxxxx_xxxxx, XXXXWorks_xxxxx,
XXXXWorks000_xxxxx, PrinterConnec_xxxxx, SpellcheckLan_xxxxx,
Terminal Server Max Idle 60 min xxxxx, Terminal Server Max Disconnected 60 min xxxxx,
Locale xxxxxx xxxxx, Keyboard United States International xxxxx, Location xxxxxxxxxx xxxxx,
Inputlanguage xxxxxx xxxxx, Desktop0000, Desktop000_xxxxx, GoogleChromeEnte,
MicrosoftTermina, GoogleChromeE_xxxxx, MicrosoftTerm_xxxxx,
RequestRemoteAssistance_xxxxx, xxxxxxxxxxx-xxxxx-O-XX-xxxxxx_xxxxx,
xxxxxxxxxxx-xxxxx-x-XX-O-STORAGE_xxxxx, xxxxxxxxxxx-xxxxx-x-XX-xxxxxx_xxxxx, xxxxxxxxxxx-xxxxx-x-XX-x-STORAGE_xxxxx, xxxxxxxxxxx-xxxxx-x-XX-xxxxxx_xxxxx, xxxxxxxxxxx-xxxxx-x-XX-x-STORAGE_xxxxx, xxxxxxxxxxx-xxxxx-x-EXTRAXXX-XX-O_xxxxx, xxxxxxxxxxx-xxxxx-x-EXTRAXXX-XX-T_xxxxx, xxxxxxxxxxx-xxxxx-x-EXTRAXXX-XX-A_xxxxx, DesktopXXxxxxxxxxx, DesktopXXxxxxxxxxx_xxxxx, NoUsers_swp, PrinterService, DynamicPACFile,
xxxxxxxxxxxdefaultprinter, xxxxxxxxxxxdefaultprinter_xxxxx, NoUsers_XXX, AllDesktops, AllDesktops_xxxxx, xxxxxxxxxxx-xxxxx-x-XXXX-003_xxxxx, XX-O-XXXX_xxxxx, XX-x-XXXX_xxxxx, XX-x-XXXX_xxxxx, MicrosoftEdge, MicrosoftEdge_xxxxx, xxxxxxxxxxx-xxxxx-DET-XX-A_xxxxx, xxxxxxxxxxx-xxxxx-DET-XX-O_xxxxx, xxxxxxxxxxx-xxxxx-DET-XX-T_xxxxx, XX_XXXX-O-XXXX_xxxxx, XX_XXXX-x-XXXX_xxxxx, XX_XXXX-x-XXXX_xxxxx,
xxxxxxxxxxx-xxxxx-O-XX_XXXX-xxxxxx_xxxxx, xxxxxxxxxxx-xxxxx-x-XX_XXXX-xxxxxx_xxxxx, xxxxxxxxxxx-xxxxx-x-XX_XXXX-xxxxxx_xxxxx, xxxxxxxxxxx-xxxxx-x-XX_XXXX-O-STORAGE_xxxxx, xxxxxxxxxxx-xxxxx-x-XX_XXXX-x-STORAGE_xxxxx, xxxxxxxxxxx-xxxxx-x-XX_XXXX-x-STORAGE_xxxxx, GoogleChromeEnterprise-MigrateData,
MicrosoftOfficeTelemetry1, MicrosoftOfficeTelemetry1_xxxxx, MicrosoftOfficeTelemetry1DisableObfuscation, MicrosoftOfficeTelemetry1DisableObfuscation_xxxxx, GoogleChromeEnterprise-MigrateData_xxxxx,
xxxxxxxxxxx-xxxxx-x-SONARQUBE-USERS_xxxxx, xxxxxxxxxxx-xxxxx-x-XXXXXXX-STAKEHOLDERS_xxxxx],
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=[testXXX@xxxxx.xxx],
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress=[testXXX@xxxxx.xxx]}
My group “xxxxxxxxxxx-xxxxx-x-SONARQUBE-USERS_xxxxx” matches the group in SonarQube exactly.
Can anybod explain why the there are no groups in List of groups returned by the identity provider '[]'
?
Are there too many groups? Is there a problem with the groupslist, some have spaces, but I quess this a serialized list so it should not matter?