Support in SAML

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    SonarQube 10.3.0
  • how is SonarQube deployed: zip, Docker, Helm
    Via docker on a Debian 12 host
  • what are you trying to achieve
    Synchronize groups for a user with 150+ groups from Azure via SAML
  • what have you tried so far to achieve this
    • Reading the SonarQube documentation on SAML
    • Searched for similar topics
    • Tried Azure-based solutions


we encountered a problem where a user couldn’t see any projects in SonarQube. After some investigation, we found that the cause is that no groups are synchronized on login via SAML because the user has too many. Azure has a limit of 150 groups for a SAML token. Instead of the groups claim, the response contained a which points at a Microsoft Graph endpoint containing the list of groups for the user (SAML 2.0 token claims reference - Microsoft identity platform | Microsoft Learn).

It would be great if the SAML implementation could follow the link to retrieve the list.
In case this is not possible, a warning in the logs would be useful, to help a user identify the problem faster, and it should also be mentioned in the documentation regarding the SAML configuration.
The warning could either state that is not supported or inform that no group could be retrieved (when the SAML group attribute is set).
The documentation could link Configure group claims for applications by using Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn where Microsoft mentions two possible solutions on how to change the configuration in Azure to reduce the number of groups returned.

To solve the problem for us, we will try to reduce the number of groups, the specific user belongs to and if it doesn’t work, we will assigned the valid groups to the app in Azure.


Thank you for taking the time to share your feedback.
I was able to find mention of the limitation in the documentation you referenced.

If the number of groups the user is in goes over a limit (150 for SAML, 200 for JWT) then an overage claim will be added the claim sources pointing at the Graph endpoint containing the list of groups for the user.

I think we can highlight the existence of a limitation on Azure AD, and perhaps respond better to that scenario. I’m transmitting the suggestion to the team.


Thanks, @x3ntrix for your suggestions.

As @Chris said, we are improving the documentation on this topic and we will also improve the SonarQube logging in such cases (SONAR-21527).