Troubleshooting authentication and provisioning

Users unable to use groups (SAML group number over 150)

You use SAML with Microsoft Entra ID and some users are automatically removed from groups. This may mean that you have reached the SAML group limitation (for these users, the groups claim is replaced by http://schemas.microsoft.com/claims/groups.link). Microsoft Entra ID SAML tokens have a limit regarding the number of groups a user can belong to (see the description of groups in the Claims in SAML Token table).

In such cases, you might need to reduce the number of groups these users are in.

Error on SAML asssertion decryption

You have enabled the encryption of SAML assertions by your identity provider and SonarQube Community Build raises an error on SAML assertion decryption. 

From SonarQube Community Build 25.1, you must enter the public key certificate in SonarQube Server (and not only the private key). Make sure the certificate is stored in SonarQube Server as follows:

1. In SonarQube Server, go to Administration > Configuration > General Settings > Authentication > SAML.
2. In SAML Configuration > SAML, select Edit. The Edit SAML configuration dialog opens.
3. In Service provider certificate, enter the certificate.

In addition, from SonarQube Community Build 25.1, if you enable the encryption of SAML assertions, the SAML response, which contains the SAML assertion, must be signed. It means that the option used for SAML signature by Microsoft Entra ID and Ping Identity cannot be Sign Assertion (the default value). Make sure you enforce the response signing. See:

• Microsoft Entra ID: Step 2 > If you use encryption, enforce response signature in Setup of security features.
• Ping Identity: Step 2 > To enable the encryption of SAML assertions in Setup of security features.