# Troubleshooting

## Users unable to use groups (SAML group number over 150) <a href="#saml-group-over-150" id="saml-group-over-150"></a>

You use SAML with Microsoft Entra ID and some users are automatically removed from groups. This may mean that you have reached the SAML group limitation (for these users, the `groups` claim is replaced by `http://schemas.microsoft.com/claims/groups.link`). Microsoft Entra ID SAML tokens have a limit regarding the number of groups a user can belong to (see the description of groups in the [Claims in SAML Token](https://learn.microsoft.com/en-us/entra/identity-platform/reference-saml-tokens#claims-in-saml-tokens) table).

In such cases, you might need to reduce the number of groups these users are in.

## Error on SAML response decryption <a href="#saml-response-decryption-error" id="saml-response-decryption-error"></a>

You have enabled the encryption of SAML assertions by your identity provider and SonarQube Server raises an error on SAML assertion decryption.

From SonarQube Server 2025.1, you must enter the public key certificate in SonarQube Server (and not only the private key). Make sure the certificate is stored in SonarQube Server as follows:

1. In SonarQube Server, go to **Administration > Configuration > General Settings > Authentication > SAML**.
2. In **SAML Configuration > SAML**, select **Edit**. The **Edit SAML configuration** dialog opens.
3. In **Service provider certificate**, enter the certificate.

In addition, from SonarQube Server 2025.1, if you enable the encryption of SAML assertions, the SAML response, which contains the SAML assertion, must be signed. It means that the option used for SAML signature by Microsoft Entra ID and Ping Identity cannot be **Sign Assertion** (the default value). Make sure you enforce the response signature. See:

* Microsoft Entra ID: **Step 2 > If you use encryption, enforce response signature** in [optional-security-features](https://docs.sonarsource.com/sonarqube-server/2025.1/instance-administration/authentication/saml/ms-entra-id/optional-security-features "mention").
* Ping Identity: **Step 2 > To enable the encryption of SAML assertions** in [optional-security-features](https://docs.sonarsource.com/sonarqube-server/2025.1/instance-administration/authentication/saml/ping-identity/optional-security-features "mention").


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sonarsource.com/sonarqube-server/2025.1/instance-administration/authentication/troubleshooting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.