SAML SSO config error "Hey! Sorry, but we couldn't verify your authorization to access this page"

Becky · June 27, 2025, 12:00pm

Hello!

I have been given the task of setting up EntraID SAML SSO with SonarQube.

I have followed several guides, mainly [Configure SonarQube for Single sign-on with Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn] and SAML SSO with MS Entra ID| SonarQube Server Documentation but both guides are not 100% easy to follow.

When I try to login now using the SSO button, I get the error message “Hey!
Sorry, but we couldn’t verify your authorization to access this page.”

I have been back and revisited the guides numerous times and also checked out previous posts but as people get assistance from DM’s, there is no fix posted.

I have a feeling one part of my config could be slightly off, or one of the claims is incorrect.
Is anyone able to assist please?

nour.zerhouni · June 27, 2025, 1:19pm

Hello @Becky, welcome to our community!
I’m sorry to hear the SSO configuration guides weren’t as clear as they should be. We’ve received similar feedback recently, and I’m happy to share that a new, much simpler SSO configuration flow will soon be available on SonarQube Cloud.

If you’d like early access to test it out, just send me a DM with your enterprise key – I’d be happy to set that up for you.

In the meantime, I think the issue you’re facing is due to a failing group sync issue: please double-check that the groups attribute is properly configured in Entra ID with the correct mapping, and that the group names match exactly between Entra and SonarQube Cloud.

Best,

Becky · June 30, 2025, 9:23am

Hi Nour Thank you for your reply, very much appreciated.

I think I will pass on the offer to test out the new process. I need to keep the process as stable as possible so that I don not have to troubleshoot further if any issues are encountered.

As for the group sync issues, I believe the groups attribute is correct according to the documentation, certainly from the EntraID side anyway.

The only think I am unsure of is the SAML configuration on the SonarQube side.

In the Attributes & Claims section, select Edit to open the Attributes & Claims page. On this page:

Copy the Claim name (URL-type value) of the attribute used for Name to the SonarQube Cloud’s User Name Attribute.

Copy the Claim name (URL-type value) of the attribute used for Login to the SonarQube Cloud’s User Login Attribute.

Copy the Claim name (URL-type value) of the attribute used for Email to the SonarQube Cloud’s User Email Attribute.

I have tried simply the claim value (as I have seen this other peoples screenshots) and also the URL of the claim name which the above part of the guide seems to indicate is the correct way. But still no joy.

Are you able to be a little more specific as to what I should be checking if the groups attribute is incorrect?

Becky · June 30, 2025, 2:49pm

Hi Nour, P.S I was looking to DM you with my specific configuration but as I am new I don’t think I have that option, I cannot tag you either.

Becky · July 11, 2025, 10:03am

Happy to say this was resolved during a call with Nour.

For anyone having the same issue.

Basic SAML config in Azure Enterprise App:

Azure field	SonarQube field
Identifier (Entity ID)	SP Identity ID
Reply URL (Assertion Consumer Service URL)	SSO URL
Sign on URL	Log in URL
Relay State (Optional)	Your webpage address e.g. `https://sonarcloud.io/enterprise/yourcompany`
Logout Url (Optional)	Blank

The following claims are needed in Azure:

Unique User Identifier (Name ID) SAML user.userprincipalname [nameid-format:emailAddress]
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups |SAML| user.groups [ApplicationGroup]
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Email |SAML| user.mail
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Login |SAML| user.userprincipalname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Name |SAML| user.givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Surname |SAML| user.surname

Which should then be entered into SonarQube using the full URL:

User Name Attribute
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Name

User Login Attribute
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Login

User Email Attribute
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Email

I hope this helps someone!

nour.zerhouni · July 11, 2025, 10:22am

@Becky, thank you for taking the time to share this here. It’s a wonderful way to support the community.

Topic		Replies	Views
SonarCloud SSO to EntraID SonarQube Cloud sonarqube-cloud	4	94	January 17, 2025
SAML SSO JIT Error - Sorry, but we couldn't verify your authorization to access this page SonarQube Cloud	1	39	April 16, 2025
SAML group sync not working in SonarQube SonarQube Server / Community Build sonarqube , authentication , saml , user-group	20	105	June 30, 2025
SAML SSO Issue with Microsoft MyApps – “Not Authorized” Error SonarQube Server / Community Build authentication , azure , saml , authorization	1	44	April 18, 2025
SAML authentication with Entra Id - groups missing SonarQube Server / Community Build	3	44	March 4, 2025

SAML SSO config error "Hey! Sorry, but we couldn't verify your authorization to access this page"

Related topics