SQ 9.7 upgrade - SAML users are losing all groups except sonar-users after logging in

Dear SQ Team,

We upgraded to the latest SonarQube version 9.7 and immediately ran into a problem where all the users logging in via SAML (Auth0) are losing access to every group (inbuilt and custom groups both). They are only being left with one single group sonar-users, causing them to lose access to their projects (all SAML users) and admin access to instance (applicable for admins only).

When we reassign the group, it works fine for the current session. But as soon as the user logs out and logs in again, the groups are gone again immediately.

We have been using SAML via Auth0 for a couple of years and never had this issue. This came to surface only after upgrade to SonarQube 9.7. I am sure that the changes related to SAML configuration in 9.7 are causing this issue.

I have tested our SAML configuration with the Test configuration button and am able to see a success response without any warnings or error.

This is a big issue for us due to the regular users losing access to projects granted via the groups. Admin issue we can live with as the Global permissions can be used as a workaround for that.

Request you to kindly look into this ASAP and suggest if we need to make some configuration change at our side.

Best Regards
Saurabh

We just upgraded from Enterprise Edition 9.5 to 9.7 and have experienced the same change in behavior, we are also using SAML SSO for authentication. Everything was working fine on 9.5, but now on 9.7, every time a user logins in via SAML SSO all groups other than sonar-users are removed.

One item to note about our SAML SSO configuration, we are mapping all available SAML attributes to claims from our IDP except for group. We have left the SAML group attribute mapping empty in SonarQube since we are not managing the group assignments from our IDP and prefer instead to manage them manually from within SonarQube for now.

Same problem here.
Upgrade from 9.6 developer to 9.7
SAML group attribute is empty, now after a login the groups are resetted to sonar-users.

How can this slip in a release without testing such stuff?
I need an estimate for a potential bugfix release, otherwise I would have to rollback to the old version.

Kind regards,
Michael

Hey everyone.

Thanks for the reports. The relevant team has been engaged to look into this. Hold tight.

Before updating to sonarqube 9.7 we could use the Azure AD just for authentication and not for group mapping. It looks like the behaviour changed now. Since we hat not set

sonar.auth.saml.group.name

all AD users get now all of there groups removed and assigned to the default role. The new bahviour is documented here Authentication SAML overview however in the docs it is mentioned as well that you can disable the group mapping Group mapping.

Any advice how can do this would be great otherwise we will not be able to update to 9.7 since all users loose their group assignments…

Thanks Christian

Thanks for the reports. The issue has been identified, and we are working on a fix or a possible workaround.
This is affecting those instances where SAML is being used for authentication but is not used for dealing with groups mapping.

1 Like

Hey everyone!

There will be a v9.7.1 release to address SONAR-17511. We expect v9.7.1 to be available this week.

1 Like

Hey all (@saurabhdeep @justin.isenhour @reitzmichnicht @ChrisRu )

v9.7.1 will be officially published soon – but you can find the download links already:

CE: https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-9.7.1.62043.zip
DE: https://binaries.sonarsource.com/CommercialDistribution/sonarqube-developer/sonarqube-developer-9.7.1.62043.zip
EE: https://binaries.sonarsource.com/CommercialDistribution/sonarqube-enterprise/sonarqube-enterprise-9.7.1.62043.zip
DCE: https://binaries.sonarsource.com/CommercialDistribution/sonarqube-datacenter/sonarqube-datacenter-9.7.1.62043.zip

2 Likes

Hi

Thanks for the quick bugfix release. Everything is now working as expected.

Kind regards,
Michael