Hello Team,
Is it possible to remove the “More option” in SonarQube login page.
I know this has been answered with a “No” before through this link:
Our organization just wishes for the latest confirmation that this cannot be removed.
Thank you!
Hi,
Here’s your latest confirmation: No.
Seriously though, if you remove that link then you remove any way to log in with a local account and fix things if integration with your IDP goes south. It’s not vestigial; it’s there on purpose.
Ann
I’ve seen this request a few times and for me, its related to security. Security scanners (and the people that run them) don’t like a self-hosted web login with basic auth available on the web, especially if it doesn’t have brute force or other protections listed as features in documentation. It can be a security nightmare if a bad actor is able to brute force their way in, or a login vulnerability allows someone in to see what projects a team has and what vulnerabilities they can attack.
My solution is put it behind a firewall or VPN, but that raises the barrier of entry for devs to access and some will rather ignore the internal vulnerabilities than slog through the VPN login process to then access this page.
Assuming as I’ve seen in previous comments from Sonar staff, that we can’t RTFM and find the backdoor access if we get locked out, so this is what we all get is kinda frustrating from a company that sells security software.
One solution that would really help me (specifically for docker compose/K8s or the like) would be being able to disable the login page via a container flag and allow an automatic SAML redirect if you hit the link. Then if we are dumbdumbs and lock ourselves out of SAML login, we can simply remove the container flag restart the app and get the login page with the basic auth back to sign in and fix the SAML issues.
1 Like
@blastingbits You raise some good points. I’ve flagged this for attention from our PMs.
Really appreciate you looking into this. It would help me a lot if this was implemented in some form!