Sonarqube Google GSuite SAML

Hello, I’m struggling to add Google SAML authentication to Sonarqube 8.5. I went through all the posts and guides available but my setup is still not working. Do you have any successful implementation to share?

1 Like

I have the same question, we are currently managing sonarqube users and we would like to implement SAML with Google Workspace. I did not find documentation

Just wondering if you got this solved? I’m looking to know what to set the user, name, email and group fields to.

Hi Guys,

I figured this out today here is the setup:

Google setup:
ACS URL: “server url”/oauth2/callback/saml
Entity ID: “server url”/auth/realms/sonarqube

Name ID format: persistent
Name ID: Basic information > Primary email

Saml attributes: leave blank (defaults works)

Sonarqube setup:
application ID:(defaults works)
Provider Name :(defaults works)
Provider ID: Gsuite
SAML login URL: copy from google admin saml called SSO URL
Provider certificate: copy from google admin saml called certificate just paste in the text

Everything else leaves it as is.

Not working, I’ve tried the steps above, but I got this

I’ve tried admins, common users and other account types

Did you try with more then one user?

Yep, admin users, power users and common users, tried with 4 different users.
Also checked the saml idp conf, all users are allowed to login

Hello, exactly the same issue here, all fields seem correctly filled, app is allowed for all users, and same error from Google ( Error: app_not_configured_for_user)

This page gives an hint to
debug SAML requests :

To resolve the 403 app_not_configured_for_user error:

Verify that the value in the saml:Issuer tag in the SAMLRequest matches the Entity ID value configured in the SAML Service Provider Details section in the Admin console. This value is case-sensitive.

I’ve double-checked that “Entity ID” on Google side matches the saml:Issuer sent in the SAMLRequest (“sonarqube”).

@Sean_Faria Are you sure of your Google Setup “Entity ID” setting ? It should be the same value as Sonar-side “application ID”

best regards

Hey Guys,

I had some issues with my previous setup and finally worked everything out and this is what worked without issues.

Google Setup:

ACS URL: “server url”/oauth2/callback/saml
Entity ID: sonarqube

Name ID format: persistent
Name ID: Basic information > Primary email

Create a custom attribute for sonarqube (users–>more options–> manage custom attributes): =

Custom fields:
Category=sonarqube
name=sonarqube
info type=text
visibility=Visible to user and admin
no. of values=Single value

Saml attributes:

basic information > Primary email → email
basic information > Primary email → login
basic information > Primary email → sonar-group
basic information > Primary email → username

Sonarqube setup:

application ID:sonarqube
Provider Name: SAML
Provider ID: copy from google admin saml called Entity ID
SAML login URL: copy from google admin saml called SSO URL
Provider certificate: copy from google admin saml called certificate just paste in the text
SAML user login attribute=login
SAML user name attribute=username
SAML user email attribute=email
SAML group attribute=sonar-group

Note:

Go to the user you want to have access and in the user information field look for the custom attribute you created called: sonarqube.
The values here would be the same as the sonarqube group you want the user to enter with. i.e. sonar-users
Lastly, wait 3 mins after you made this change to take effect.

Thank you! Just applied your instructions and it finally started to work!

But I have a small remark - when you configure SAML attributes mapping on the Google side instead of this:
basic information > Primary email → sonar-group

you should use the custom attribute you added before - sonarqube, so it will like this:
sonarqube > sonartqube → sonar-group

Thank you! I agree that is a typo on my end see corrected version below:

Google Setup:

ACS URL: “server url”/oauth2/callback/saml
Entity ID: sonarqube

Name ID format: persistent
Name ID: Basic information > Primary email

Create a custom attribute for sonarqube (users–>more options–> manage custom attributes): =

Custom fields:
Category=sonarqube
name=sonarqube
info type=text
visibility=Visible to user and admin
no. of values=Single value

Saml attributes:

basic information > Primary email → email
basic information > Primary email → login
sonarqube > sonarqube → sonar-group
basic information > Primary email → username

Sonarqube setup:

application ID:sonarqube
Provider Name: SAML
Provider ID: copy from google admin saml called Entity ID
SAML login URL: copy from google admin saml called SSO URL
Provider certificate: copy from google admin saml called certificate just paste in the text
SAML user login attribute=login
SAML user name attribute=username
SAML user email attribute=email
SAML group attribute=sonar-group

Note:

Go to the user you want to have access and in the user information field look for the custom attribute you created called: sonarqube.
The values here would be the same as the sonarqube group you want the user to enter with. i.e. sonar-users
Lastly, wait 3 mins after you made this change to take effect.

Do you see any flakiness? I’ve configured SAML the same way in my instance (minus the groups because I’m not using group mapping), and I still get the dreaded app_not_configured_for_user error. If I refresh the page it might log me in or it might throw the error again. And it seems to be completely random whether or not it works and how many refreshes it takes to work.