- ALM used: Azure DevOps
- CI system used: Azure DevOps
Context: we have about 300 users (with basic licence) in Azure DevOps. We would like to integrate SonarCloud to our pull requests for about 50+ repositories we develop in. It’s OK to have only read access to all projects in SonarCloud and to give consent to access profile etc. when the user is accessing SonarCloud for the first time. But what is not OK is to do some manual action after each of the user wants to see our project, e.g. manually adding him/her only after he/she open the SonarCloud for the first time. In our SonarCloud server this was solved via SAML/oAuth authentication with our AzureAD (via AAD app). I understand SonarCloud have a different setup, but how can we do it in most convenient way, ideally fully automatically…
maybe important to say but we are not looking for only one time import (which would ofc help us a lot too!) but for a continuous, automatic process. That is, in the future, when a user gains access to our Azure DevOps (based on group assignment = fully automatic as well) he/she is imported/can access our SonarCloud project as well when he/she clicks on the PR on some issue.
Anyone? @mickaelcaro can you help pretty please?
Hi @jvilimek and welcome to our community
manually adding him/her only after he/she open the SonarCloud for the first time.
Unfortunately, I can’t see any workaround for that today.
The topic you bring here is already ongoing internally already. This is something we hope to move forward with during the coming year.
BTW, when you say
In our SonarCloud server this was solved via SAML/oAuth authentication with our AzureAD (via AAD app).
You mean with your SonarQube sever right?
Thanks @Christophe_Havard, Yes indeed, when tlaking about SAML/oAuth I have meant our SonarQube installation.
So currently we are really forced to ask the user to sign in and manually assign them in the project settings? thats a big manual overhead…
What happens, in case the user has lost access to the Azure Devops account. Is the account in the SonarCloud preserved? Can he/she somehow gain access to it and be able to see our projects even the Azure DevOps account is disabled? If yes, we would need to also prepare manual process to remove these accounts from SonarCloud…
I guess this is a blocker for us
What happens, in case the user has lost access to the Azure Devops account. Is the account in the SonarCloud preserved?
Yes, currently there is no synchronization between Azure DevOps and SonarCloud regarding users.
You use AAD w/ your Azure DevOps right?
@jvilimek hey sorry about the late reply, I missed the notification .
It doesn’t change anything unfortunately. I asked the question out of curiosity only.
The plugin for SonarQube that you talk about is the following one ? GitHub - hkamel/sonar-auth-aad: Azure Active Directory Authentication for SonarQube
The plugin? Not sure, I guess so. But I can not imagine using this in multi-tenant sonarcloud environment
One idea I had though: how about at least automatically “bind” users while registration to respective organization account? Let’s say user will be registered with email@example.com azure devops account… we would have some setting specified in our administration e.g. “authorize domain: oriflame.com” so the user automatically gain membership in our organization? WDYT?
@jvilimek I think it’s a really good idea
We have this MMF already registered on our side (that might need some refresh) that is saying something similar. The pain I understand is the necessity to register users one by one and assign them one by one to each project.
Feel free to vote and/or comment the given MMF, your contribution is always useful for us
You will be able to follow the progress on this. Currently, we have no ETA for that.
Thanks @Christophe_Havard. Yeah, that MMF you have shared would solve our issues too I believe. But also is a way more complicated to implement. What do I suggested was to simply add users with email domain xxxx.xxx specified in the settings of a project automatically as members with a default group. Since you always validate user emails this should be pretty safe. And a user from our organization would have immadiate access to our projects as soon as he/she completes the registration within sonarCloud.
For security reasons could be a defined as follows:
- automatically provisioned domain: [xxxx.xx] for authentication provider [Azure DevOps] (will automatically assign membership to your organization based on the domain name of the registered & validated email)
Thanks for your insights @jvilimek I’ll keep that as a side note regarding the given MMF and take it into account when we will address this.
FYI, there is another thread talking a bit about the same thing : Login to SonarCloud Organization with Azure AD Authentication