SAML login won't sync groups for user

Version

SonarQube 9.1.0.47736

What are you trying to achieve:

I have SAML configured and working, but user AD groups in the SAML won’t sync with SonarQube groups (users are only added to sonar-users group).

What have you tried so far to achieve this:

  • Configured SAML login (with ADFS) and users can login succesfully
  • Created groups in SonarQube with exact same name as groups in SAML message

Expectation

After login, the user should be a member of the groups in SonarQube that are also in the SAML groups list.

Analysis so far

I’ve looked at the log and found that there are no groups returned by the identity provider when a users succesfully logs in:

2021.10.25 19:01:35 DEBUG web[AXy4Ynwl5mgB71KeAABV][o.s.s.a.UserRegistrarImpl] List of groups returned by the identity provider '[]'

I’ve found the implementation on the internet and this would explain my problem. Because it only executes the syncgroups code if this list is populated.

But I don’t understand why it’s empy. Af few lines before this in the logging it prints out the SAML response attributes and it identifies the groups correctly (data is obfuscated). This also matches the saml perfectly I caught in the browser for this user. I would expect the groups in the logging above:

2021.10.25 19:01:35 DEBUG web[AXy4Ynwl5mgB71KeAABV][c.o.s.a.SamlResponse]
 SAMLResponse has attributes: {
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=[Sonarcube, User (U.)], 
http://schemas.xmlsoap.org/claims/Group=[Domain Users, AllUsers, DisableClientDrives, 
InputLanguagexxxxxx, KeyboardUnitedStatesInternational, Languagexxxxxx, 
Localexxxxxx, Locationxxxxxxxxxx, PrinterConnect, RequestRemoteAssistance, 
SpellcheckLanguagexxxxxx, TerminalServerMaxDisconnected60min, 
TerminalServerMaxIdle60min, AllCustomers@ApplicationNet, AllUsers_xxxxx, 
DisableClient_xxxxx, Languagexxxxxx_xxxxx, XXXXWorks_xxxxx, 
XXXXWorks000_xxxxx, PrinterConnec_xxxxx, SpellcheckLan_xxxxx, 
Terminal Server Max Idle 60 min xxxxx, Terminal Server Max Disconnected 60 min xxxxx, 
Locale xxxxxx xxxxx, Keyboard United States International xxxxx, Location xxxxxxxxxx xxxxx, 
Inputlanguage xxxxxx xxxxx, Desktop0000, Desktop000_xxxxx, GoogleChromeEnte, 
MicrosoftTermina, GoogleChromeE_xxxxx, MicrosoftTerm_xxxxx, 
RequestRemoteAssistance_xxxxx, xxxxxxxxxxx-xxxxx-O-XX-xxxxxx_xxxxx,
 xxxxxxxxxxx-xxxxx-x-XX-O-STORAGE_xxxxx, xxxxxxxxxxx-xxxxx-x-XX-xxxxxx_xxxxx, xxxxxxxxxxx-xxxxx-x-XX-x-STORAGE_xxxxx, xxxxxxxxxxx-xxxxx-x-XX-xxxxxx_xxxxx, xxxxxxxxxxx-xxxxx-x-XX-x-STORAGE_xxxxx, xxxxxxxxxxx-xxxxx-x-EXTRAXXX-XX-O_xxxxx, xxxxxxxxxxx-xxxxx-x-EXTRAXXX-XX-T_xxxxx, xxxxxxxxxxx-xxxxx-x-EXTRAXXX-XX-A_xxxxx, DesktopXXxxxxxxxxx, DesktopXXxxxxxxxxx_xxxxx, NoUsers_swp, PrinterService, DynamicPACFile,
xxxxxxxxxxxdefaultprinter, xxxxxxxxxxxdefaultprinter_xxxxx, NoUsers_XXX, AllDesktops, AllDesktops_xxxxx, xxxxxxxxxxx-xxxxx-x-XXXX-003_xxxxx, XX-O-XXXX_xxxxx, XX-x-XXXX_xxxxx, XX-x-XXXX_xxxxx, MicrosoftEdge, MicrosoftEdge_xxxxx, xxxxxxxxxxx-xxxxx-DET-XX-A_xxxxx, xxxxxxxxxxx-xxxxx-DET-XX-O_xxxxx, xxxxxxxxxxx-xxxxx-DET-XX-T_xxxxx, XX_XXXX-O-XXXX_xxxxx, XX_XXXX-x-XXXX_xxxxx, XX_XXXX-x-XXXX_xxxxx, 
xxxxxxxxxxx-xxxxx-O-XX_XXXX-xxxxxx_xxxxx, xxxxxxxxxxx-xxxxx-x-XX_XXXX-xxxxxx_xxxxx, xxxxxxxxxxx-xxxxx-x-XX_XXXX-xxxxxx_xxxxx, xxxxxxxxxxx-xxxxx-x-XX_XXXX-O-STORAGE_xxxxx, xxxxxxxxxxx-xxxxx-x-XX_XXXX-x-STORAGE_xxxxx, xxxxxxxxxxx-xxxxx-x-XX_XXXX-x-STORAGE_xxxxx, GoogleChromeEnterprise-MigrateData, 
MicrosoftOfficeTelemetry1, MicrosoftOfficeTelemetry1_xxxxx, MicrosoftOfficeTelemetry1DisableObfuscation, MicrosoftOfficeTelemetry1DisableObfuscation_xxxxx, GoogleChromeEnterprise-MigrateData_xxxxx, 
xxxxxxxxxxx-xxxxx-x-SONARQUBE-USERS_xxxxx, xxxxxxxxxxx-xxxxx-x-XXXXXXX-STAKEHOLDERS_xxxxx], 
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=[testXXX@xxxxx.xxx], 
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress=[testXXX@xxxxx.xxx]}

My group “xxxxxxxxxxx-xxxxx-x-SONARQUBE-USERS_xxxxx” matches the group in SonarQube exactly.

Can anybod explain why the there are no groups in List of groups returned by the identity provider '[]'?

Are there too many groups? Is there a problem with the groupslist, some have spaces, but I quess this a serialized list so it should not matter?

I’ve filtered all other groups in the ADFS claim, it now only returns the single group necessary and matching the group configured in SonarQube:

[c.o.s.a.SamlResponse] SAMLResponse has attributes:
{http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=[Sonarcube, User (U.)], 
http://schemas.xmlsoap.org/claims/Group=[xxxxxxxxxxx-xxxxx-x-SONARQUBE-USERS_xxxxx], 
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=[testXXX@xxxxx.xxx], 
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress=[testXXX@xxxxx.xxx]}

Still empty and no matching group:

[o.s.s.a.UserRegistrarImpl] List of groups returned by the identity provider '[]'

I also added my testuser to some random test group I created in SonarQube and after the user logs in it removes membership to that group. So it does do something to sync membership of roles, it just wont recognize my specific group in the SAML.

Hello @kross

As we discussed the claims are case-sensitive and the problem came from a mismatch between what IDP was sending (http://schemas.xmlsoap.org/claims/Group) and what was configured on SonarQube side via sonar.auth.saml.group.name parameter (http://schemas.xmlsoap.org/claims/group).

Best regards
Michal