SonarQube Cloud SSO with EntraID - Group mapping

Greetings,

I manage a SonarQube Cloud Enterprise, the login of which is done via GitHub. Recently, we’ve created a Microsoft EntraID application to switch from GitHub Login to SSO and, by previously asking our Account Manager, we know the way of syncing EntraID and SonarQube Cloud groups is by having the same name.

However, we can’t seem to make it work. Along with the team that manages EntraID, we’ve followed the documentation regarding group mapping(SAML SSO with Entra ID | SonarQube Cloud | Sonar Documentation):

image822×804 80.3 KB

But after some unsuccessful testing, we realized SonarQube is recieving the EntraID groups’ Object ID as names instead of their actual names:

image781×559 71.2 KB

image1134×337 16.7 KB

Is there any configuration we’ve might be missing? I’ve been having trouble looking for documentation for SonarQube Cloud on this issue, as there are more instances of Sonar with different settings.

Thank you.

Hi,

Welcome to the community!

I suspect this is about your group attribute configuration. Can you double-check your configuration for that?

 
Thx,
Ann

Something else that tripped us up when implementing this was that Entra will only send groups in the SAML Envelope if the user is a Direct Member of the group.

So your users need to be Direct Members of the Groups that you add in the SSO Application in Entra.

We have a structure where we need multiple levels of groups containing groups before you get to the users. To solve this I needed to write an automated task that periodically runs and adds/removes direct members based on the Indirect Members of those groups.