Users not being assigned to Groups using SCIM with AzureAD

Must-share information (formatted with Markdown):

  • which versions are you using? - 10.0
  • how is SonarQube deployed? - Docker via Fargate
  • what are you trying to achieve? - Users being assigned to correct groups when logging into SonarQube using SAML + SCIM
  • what have you tried so far to achieve this? - Set up SCIM and SAML according to the Sonar Documentation

When using SCIM with AzureAD the Users and Groups are being provisioned as expected and are showing up in the SonarQube UI with managed users part of the correct managed groups. The issue starts when those users then log in using SAML, they are authenticated to SonarQube and placed in the default group (sonar-users), getting removed from the SCIM provisioned groups.

I am confident that I have set up SAML correctly as the users are being placed in the correct groups when using Just-in-Time provisioning, it’s only when using SCIM that I’m seeing users not being allocated to groups/removed from groups they got provisioned into.

Below is the SAML attributes being returned (which identifiable information redacted):

Available attributes:
http://schemas.microsoft.com/identity/claims/displayname	My Name
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups	PBAC-APP-SonarQube-Creator
                                                                PBAC-APP-SonarQube-Admin
http://schemas.microsoft.com/identity/claims/tenantid	tenant-id
http://schemas.microsoft.com/identity/claims/identityprovider	https://sts.windows.net/guid/
http://schemas.microsoft.com/identity/claims/objectidentifier	objectid
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname	givenName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	myEmail@example.com
http://schemas.microsoft.com/claims/authnmethodsreferences	http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
                                                            http://schemas.microsoft.com/claims/multipleauthn
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname	lastName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress	myEmail@example.com

The attributes contain the groups as provisioned by SCIM so I’m not sure why the user is being removed from those and only being put into sonar-users?

Hello, @curtisgriffiths, and welcome to the community!

It looks like you are affected by this bug - SONAR-19194 - that is present in SonarQube 10.0.

To prevent users from being removed from their groups on SAML login, you will need to apply the workaround mentioned in the ticket. You need to run this API call:

curl -u <SQ_ADMIN_TOKEN>: "<SQ_URL>/api/settings/reset" -d "keys=sonar.auth.saml.group.name"

After that, you will need to restart provisioning in AAD as the incremental sync cycle won’t re-add users to their groups in SonarQube.