Sonarqube Enterprise: Users unable to login via SAML SCIM

  • Sonarqube 10.4
  • Kubernetes helm deployment
  • SAML SCIM integration with Sonarqube
  • People with email address in lowercases **( able to access sonarqube after SAML integration with Azure AD but if users with uppercase ( letters in their emails **, they are not able to login. Basically, authentication works and we get 200 status code in Azure AD but authorization fails because sonarqube is case sensitive and it doesn’t recognizes the email address.


It looks like similar issue was raised in sonar jira but looks like it was implemented only in community edition and not in enterprise edition."SONAR"%20AND%20text%20~%20"email"%20ORDER%20BY%20created%20DESC

Could you please help on this? @Lukasz_Jarocki @antoine.vinot @jacek.poreda @ganncamp

Hi @Manmohan_Singh_Rawat !

It seems like there is a mismatch between the user ID you have configured for SAML and SCIM. What happens is:

  • A user is provisioned with SCIM. The user’s external identity stored in SonarQube comes from the attribute mapped under provisioning: see Step 5.c in this section
  • Then, the user logs in with SAML. SonarQube matches the user based on the SAML user login attribute. See the Login field in this section . This field is case-sensitive. If there isn’t an already provisioned user with the exact same email address (case included) in SonarQube, I’d expect the error message you shared in your screenshot.

When an email address is used as the user ID for authentication, I think it’s a good idea to pass it always in lowercase from AD (SAML and SCIM).

You’ll need to find the mismatched emails/users and find a way to make them match (reprovisioning/updating the users).

1 Like

Hi @Lukas_F , Thanks for responding. So, you are saying sonarqube will always be case sensitive? There is no way to make it case-insensitive?

In the sense of this topic - yes. And it’s not something that can be configured. As you are using email addresses - which are not case-sensitive - the question is understandable. However, the external user ID stored in SonarQube can be any ID, and therefore, it is case-sensitive by design.

I find the most reliable way of handling this is by passing the user ID attribute - for SAML and SCIM - through the “ToLowercase” function.