Must-share information (formatted with Markdown):
- which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
SonarQube 10.3.0 - how is SonarQube deployed: zip, Docker, Helm
Via docker on a Debian 12 host - what are you trying to achieve
Synchronize groups for a user with 150+ groups from Azure via SAML - what have you tried so far to achieve this
- Reading the SonarQube documentation on SAML
- Searched for similar topics
- Tried Azure-based solutions
Hi,
we encountered a problem where a user couldn’t see any projects in SonarQube. After some investigation, we found that the cause is that no groups are synchronized on login via SAML because the user has too many. Azure has a limit of 150 groups for a SAML token. Instead of the groups claim, the response contained a group.link which points at a Microsoft Graph endpoint containing the list of groups for the user (SAML 2.0 token claims reference - Microsoft identity platform | Microsoft Learn).
It would be great if the SAML implementation could follow the link to retrieve the list.
In case this is not possible, a warning in the logs would be useful, to help a user identify the problem faster, and it should also be mentioned in the documentation regarding the SAML configuration.
The warning could either state that group.link is not supported or inform that no group could be retrieved (when the SAML group attribute is set).
The documentation could link Configure group claims for applications by using Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn where Microsoft mentions two possible solutions on how to change the configuration in Azure to reduce the number of groups returned.
To solve the problem for us, we will try to reduce the number of groups, the specific user belongs to and if it doesn’t work, we will assigned the valid groups to the app in Azure.