SSO SAML group sync not working

Must-share information (formatted with Markdown):

• We are using CE 10.0 and deployed in GKE cluster using helm chart.

• what are you trying to achieve
  We have integrated the okta sso per instructions mentioned here and on sonarqube SAML setting we don’t see the option where can see SAML group attribute.

Is there any special setting we need to enable to see the SAML group attribute while configuring the SAML settings.

Also we have created the groups in sonarqube which aligns with the group naming format in OKTA groups.

We can see the OKTA SAML login enabled but group sync is not happening.
Is there anything I’m missing to get the group sync done.

Hey there.

Take a look at this post:

Hi Colin,

Thanks for the reply and the attached information.
As per the workaround mentioned here I’ve generated the web tokens for the admin user and when I tried to do the POST call (using the generated web token) I see 401 in the sonar access logs. Same with GET as well.

Also I did tried with GLOBAL type token and user token, but still I am seeing the same 401 in the sonar logs.

Below attaching the sample log line from sonar access log while executing POST call.

[07/Jun/2023:18:55:07 +0000] "POST /api/settings/set?key=sonar.auth.saml.group.name&value=group_attribute_value HTTP/1.1" 401 - "-" "curl/8.1.2" ""

Could you please suggest me on further config and Thanks much in advance.

Hey there.

Can you provide the curl request you’re making? How are you providing the token?

Keep in mind the docs here.

Hi Colin,

I think I got the issue in the POST call I am doing after putting the ‘:’ in the end of the token I can see the below response code in sonar logs.

127.0.0.6 - - [08/Jun/2023:21:59:13 +0000] “POST /api/settings/set?key=sonar.auth.saml.group.name&value=group_attribute_value HTTP/1.1” 204 - “-” “curl/8.1.2” “”

After the above change when I do the test configuration in saml settings now I see below warning message now. Which was not the case before.

*** Mapping not found for the property sonar.auth.saml.group.name, the field group_attribute_value is not available in the SAML response.**

Also I can see below response when I do GET

{
“settings”: [
{
“key”: “sonar.auth.saml.group.name”,
“value”: “group_attribute_value”
}
],
“setSecuredSettings”:
}

But I am still having the warnings saying * Mapping not found for the property sonar.auth.saml.group.name, the field group_attribute_value is not available in the SAML response.

fyi Below is what we have in okta saml settings per instructions here

Screen Shot 2023-06-08 at 3.53.15 PM812×690 30.1 KB

Adding some additional info from logs when log in with okta.

2023.06.09 17:58:53 DEBUG web[AYidQ8WMoABTk][c.o.s.a.SamlResponse] SAMLResponse has attributes: {name=[reddacted], login=[email id], email=[user email id (reddacted)], groups=[GROUP NAMES USER belong to in OKTA reddacted ]} 2023.06.09 17:58:53 DEBUG web[AYidQ8WMoABTk]

[o.s.s.a.UserRegistrarImpl] List of groups returned by the identity provider ‘’

We have created the groups in sonar similar to group names in okta.

@Colin Any suggestions here on above config issue. Thanks in advance for your help.

Hey there.

I’ve realized that you are literally using group_attribute_value in your curl request, instead of the actual group attribute value, in your case, groups.

I would suggest setting the setting again via curl, this time actually supplying value=groups instead of the placeholder value=group_attribute_value

Thanks @Colin After updating the correct value in my curl, Now I can see the respective groups getting mapped to logged in users using SAML.

Thanks again for all your guidance here.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.