We have setup SSO between SonarQube cloud and our Enterprise AD.
Users have been added to AD groups in our Enterprise with the same name Group in SonarQube Cloud.
The groups have been given permissions to Browse, see source code and Execute analysis.
Those users can login to SonarQube Cloud using SSO,
however, the users in the AD groups
Do not see them appearing in the same named SonarQube cloud group
Cannot see any projects even though the group has permissions to Browse, see source code and Execute analysis.
For additional information, please see the uploaded SAML Config, Attributes claims and Group cliams png files.
Group sync occurs on user login. So are these groups missing after the user logs in, or are you configuring the membership on the AD side and expecting it to just show up automatically in SonarQube Cloud? Because it won’t.
And if the groups are missing post-login, are they direct memberships, i.e. the user was placed directly in the group, or are then transitive memberships, i.e. user is in Group A and Group A is in Group B?
Yes, I am aware group sync occurs on login, so I am not expecting all users to show in the group, but they should appear once the user logins via SSO, and they don’t!
Also, the group is top level i.e. it only contains users not other groups.
Please see below screenshot of the groups we have in SonarQube Cloud, and in our AD.
What I have noticed after some investigation, is that if I put the same users in a different group SonarQube Mphasis SSO, they seem to sync fine, but users are not syncing for the security group ASG-AG-UKS-MPHASIS-DG-PRD.
Looking at attributes and claims, I can see that group claims that populate the SAML are for ‘Groups assigned to the application’.
The security group ASG-AG-UKS-MPHASIS-DG-PRD is assigned to the application so I would assume that it should sync.
It’s not syncing, and I would rather not send all groups associated to the user if possible.
Thanks for these screenshots and the further details. I think this is enough to work with. No need for more right now. I have a sneaking suspicion this might be about those dashes (-) in the group name, but that’s really a wild guess. I’m going to flag this for the experts.
thanks for reaching out and your patience while we checked your case with the details provided!
The users will be added to the group in SonarQube Cloud as log as they’re passed in SAML assertion and a group with the same name exists on the SonarQube Cloud side. Looks like the concerned group is not passed.
