Must-share information (formatted with Markdown):
- which versions are you using? - 10.0
- how is SonarQube deployed? - Docker via Fargate
- what are you trying to achieve? - Users being assigned to correct groups when logging into SonarQube using SAML + SCIM
- what have you tried so far to achieve this? - Set up SCIM and SAML according to the Sonar Documentation
When using SCIM with AzureAD the Users and Groups are being provisioned as expected and are showing up in the SonarQube UI with managed users part of the correct managed groups. The issue starts when those users then log in using SAML, they are authenticated to SonarQube and placed in the default group (
sonar-users), getting removed from the SCIM provisioned groups.
I am confident that I have set up SAML correctly as the users are being placed in the correct groups when using Just-in-Time provisioning, it’s only when using SCIM that I’m seeing users not being allocated to groups/removed from groups they got provisioned into.
Below is the SAML attributes being returned (which identifiable information redacted):
Available attributes: http://schemas.microsoft.com/identity/claims/displayname My Name http://schemas.microsoft.com/ws/2008/06/identity/claims/groups PBAC-APP-SonarQube-Creator PBAC-APP-SonarQube-Admin http://schemas.microsoft.com/identity/claims/tenantid tenant-id http://schemas.microsoft.com/identity/claims/identityprovider https://sts.windows.net/guid/ http://schemas.microsoft.com/identity/claims/objectidentifier objectid http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname givenName http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name myEmail@example.com http://schemas.microsoft.com/claims/authnmethodsreferences http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password http://schemas.microsoft.com/claims/multipleauthn http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname lastName http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress myEmail@example.com
The attributes contain the groups as provisioned by SCIM so I’m not sure why the user is being removed from those and only being put into