SonarQube Groups Question - SAML Authentication

Hi Team,

I have recently integrated the SAML authentication in the SonarQube Community Edition 9.7 and able to see the groups in SonarQube if that name matches the AD groups exists in the AD.

However before this a user has been assigned with SonarQube administrator inbuild group and when a group with same name of AD group created in the SonarQube, the user has been removed the SonarQube administrator inbuild group and then assigned to the AD group in SonarQube where he was originally part of in AD also. I would like to know why the user has been removed from the SonarQube administrator group.


Hey there.

Unless you have a matching sonar-administrators group in AD – once you turn on Group Mapping, you cannot assign externally authenticated users to local SonarQube groups, as noted in the docs:

Group Mapping

When using group mapping, the following caveats apply regardless of which delegated authentication method is used:

  • Membership in synchronized groups will override any membership locally configured in SonarQube at each login
  • Membership in a group is synched only if a group with the same name exists in SonarQube
  • Membership in the default group sonar-users remains (this is a built-in group) even if the group does not exist in the identity provider

When group mapping is configured, the delegated authentication source becomes the only place to manage group membership, and the user’s groups are re-fetched with each login.

1 Like

Thanks for this perfect ans.