Must-share information (formatted with Markdown):
- which versions are you using? - 10.0
- how is SonarQube deployed? - Docker via Fargate
- what are you trying to achieve? - Users being assigned to correct groups when logging into SonarQube using SAML + SCIM
- what have you tried so far to achieve this? - Set up SCIM and SAML according to the Sonar Documentation
When using SCIM with AzureAD the Users and Groups are being provisioned as expected and are showing up in the SonarQube UI with managed users part of the correct managed groups. The issue starts when those users then log in using SAML, they are authenticated to SonarQube and placed in the default group (sonar-users
), getting removed from the SCIM provisioned groups.
I am confident that I have set up SAML correctly as the users are being placed in the correct groups when using Just-in-Time provisioning, it’s only when using SCIM that I’m seeing users not being allocated to groups/removed from groups they got provisioned into.
Below is the SAML attributes being returned (which identifiable information redacted):
Available attributes:
http://schemas.microsoft.com/identity/claims/displayname My Name
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups PBAC-APP-SonarQube-Creator
PBAC-APP-SonarQube-Admin
http://schemas.microsoft.com/identity/claims/tenantid tenant-id
http://schemas.microsoft.com/identity/claims/identityprovider https://sts.windows.net/guid/
http://schemas.microsoft.com/identity/claims/objectidentifier objectid
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname givenName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name myEmail@example.com
http://schemas.microsoft.com/claims/authnmethodsreferences http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
http://schemas.microsoft.com/claims/multipleauthn
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname lastName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress myEmail@example.com
The attributes contain the groups as provisioned by SCIM so I’m not sure why the user is being removed from those and only being put into sonar-users
?