SAML syncing groups with AD is not working

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)

    • SonarQube 9.5.0.56709 Community Edition
  • what are you trying to achieve

    • Synchronizing SonarQube Groups with Active Directory Groups
  • what have you tried so far to achieve this

    • SAML configuration is done and user can log in successfully
    • Created in the domain and as well in SonarQube a group with the exact same name
      • Inserted my account into the AAD group as member (SonarQube group left empty)
    • Added “SAML group attribute” like found in web.log
      • *btw. tried other values but all result in "List of groups returned by the identity provider '[]'
      • Using “http://schemas.microsoft.com/claims/groups.link” result in the web.log as:
        "List of groups returned by the identity provider '[https://graph.windows.net/e0793d39-...]"
        • SonarQube group is still empty
        • Calling the graph-url directly, error:
        <code>Request_DataContractVersionMissing</code>
        <message xml:lang="en">The specified api-version is invalid. The value must exactly match a supported version.</message>
        

Anyone any idea what to try or where to investigate next?

Hey there.

Unless your group name in SonarQube is, exactly https://graph.windows.net/e0793d39-..., SonarQube isn’t doing any additional parsing to find out what that group actually is in AD. You’ll need to work with your Identity Provider to make sure a proper list of groups (Group_A, Group_B) is being returned.