SAML with Azure AD Group Sync: name, login and email cannot be parsed correctly

Must-share information (formatted with Markdown):

• which versions are you using
  SonarQube Server Enterprise Edition 9.9 LTA
  SonarQube Community v25.3.0.104237
• how is SonarQube deployed: zip, Docker, Helm
  Zip-based installation
• what are you trying to achieve
  Enable SAML authentication with Azure AD, including group synchronization
• what have you tried so far to achieve this
  SAML authentication for individual users works perfectly.
  Group used for sync already exists in SonarQube.
  Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!
• Issue Description
  Group synchronization causes unexpected behavior in attribute mapping.

When the group attribute is not configured, the “Test Configuration” shows correctly parsed user data:

Working

SAML Authentication Test

success

Available attributes

Attribute mappings

However, once the group attribute is added, the other attributes (name, email, username) are no longer resolved correctly and are instead treated as literal strings:

Broken

SAML Authentication Test

success

Available attributes

Attribute mappings

Any hint for it? Thank you!

Best Regards,
Lu Wang

Hi Lu,

You’ve listed two different SonarQube versions in your post. I can’t help you with 9.9 since it’s EOL. Are you seeing this problem in 25.3?

And if so, can you

• bump server logging to DEBUG via the UI
• have someone log in to demonstrate the problem
• return server logging to INFO via the UI
• post the relevant logs

?
(Note that server DEBUG logs get big, fast, so you want to limit the time at that log level.)

 
Ann