SAML with AD IdP Group Mapping troubleshooting

Hi guys,
my 2 related cases are staying ignored, so I have to create a new case to get your attention, sorry.
(Lose permissions to groups
Automate adding users to a security group)

AD integration still doesn’t work and I can’t add users to a group.
I have to ask users to login once, so their accounts would appear in the Portal DB. Only then I can add them.
When having hundred of users becomes a problem, obviously.

So I followed the manual: Group Mapping and still have an issue.

This is from my previous topics:


So I have a group configured in SonarQube.
I have the same group configured in AD (which is our IP. Sorry for confusion above).
I added myself to the group in AD and on SQ portal.
After first login I see myself a part of Users grp only.

SAML group attribute (sonar.auth.saml.group.name) is configured with “http://schemas.xmlsoap.org/claims/Group”


Also FYI, we gave the following ADFS settings:

AllowedAuthenticationClassReferences : {}
EncryptionCertificateRevocationCheck : CheckChainExcludeRoot
PublishedThroughProxy : False
SigningCertificateRevocationCheck : CheckChainExcludeRoot
WSFedEndpoint :
AdditionalWSFedEndpoint : {}
ClaimsProviderName : {Active Directory}
ClaimsAccepted : {}
EncryptClaims : True
Enabled : True
EncryptionCertificate :
Identifier : {XXX}
NotBeforeSkew : 0
EnableJWT : False
AlwaysRequireAuthentication : False
Notes :
OrganizationInfo :
ObjectIdentifier : c-8
ProxyEndpointMappings : {}
ProxyTrustedEndpoints : {}
ProtocolProfile : WsFed-SAML
RequestSigningCertificate : {}
EncryptedNameIdRequired : False
SignedSamlRequestsRequired : False
SamlEndpoints : {Microsoft.IdentityServer.Management.Resources.SamlEndpoint}
SamlResponseSignature : AssertionOnly
SignatureAlgorithm : http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
TokenLifetime : 0
AllowedClientTypes : Public
IssueOAuthRefreshTokensTo : NoDevice
RefreshTokenProtectionEnabled : True
RequestMFAFromClaimsProviders : False
ScopeGroupId :
Name : XXX
AutoUpdateEnabled : False
MonitoringEnabled : False
MetadataUrl :
ConflictWithPublishedPolicy : False
IssuanceAuthorizationRules : @RuleTemplate = “AllowAllAuthzRule”
=> issue(Type = “http://schemas.microsoft.com/authorization/claims/permit”, Value = “true”);

IssuanceTransformRules : @RuleTemplate = “LdapClaims”
@RuleName = “SonarQube Userclaims”
c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”, Issuer == “AD AUTHORITY”]
=> issue(store = “Active Directory”, types = (“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”,
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name”,
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”,
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”, “http://schemas.xmlsoap.org/claims/Group”), query =
“;userPrincipalName,displayName,mail,sAMAccountName,tokenGroups;{0}”, param = c.Value);

DelegationAuthorizationRules :
LastPublishedPolicyCheckSuccessful :
LastUpdateTime : 1/1/1900 1:00:00 AM
LastMonitoredTime : 1/1/1900 1:00:00 AM
ImpersonationAuthorizationRules :
AdditionalAuthenticationRules :
AccessControlPolicyName :
AccessControlPolicyParameters :
ResultantPolicy :

Could you specify the parameter that has to be modified?
Thanks.

Hey there.

You’ll probably need to take a look at the SAML Response (which should be visible in your web.log file with DEBUG level logging turned on) to find out after initiating a login

  • Is group information actually being returned in the SAML Response?
  • Is the value you’re supplying for sonar.auth.saml.group.name valid?

You probably won’t find much help here for the exact ADFS configuration, but hopefully, we can get you on your way with troubleshooting.

Feel free to post a redacted version of the SAML Response you see in the logs if you need help.