Changing external identity

Dear community,

I am testing a user migration scenario. What I want to achieve first; changing a local user to a newly configured ADFS identity provider. It is important to know that the identity provider works as expected for users who login for the first time (without local presence).

For this example I created a local user who looks like this (from the API),

    {
        "login": "herbert",
        "name": "Herbert the Muppet",
        "active": true,
        "email": "herbert@example.nl",
        "groups": [
            "sonar-users"
        ],
        "tokensCount": 0,
        "local": true,
        "externalIdentity": "herbert",
        "externalProvider": "sonarqube",
        "avatar": "98234989287fd115e2afa39cb3e1"
    }

Since our Sonarqube version is 8.7+ we can use the API call to achieve the update to a new identity;

curl -v -H “Content-Type: application/x-www-form-urlencoded” -u “****” -XPOST “https://my.test.sonar.server.example.nl/api/users/update_identity_provider?login=herbert&newExternalProvider=aad&newExternalIdentity?=newidentity@example.nl

Now we the API presents the user with the following properties,

    {
        "login": "herbert",
        "name": "Herbert the Muppet",
        "active": true,
        "email": "herbert@example.nl",
        "groups": [
            "sonar-users"
        ],
        "tokensCount": 0,
        "local": false,
        "externalIdentity": "herbert",
        "externalProvider": "aad",
        "avatar": "98234989287fd115e2afa39cb3e1"
    }

I expect the value given via the newExternalIdentity parameter is used as externalIdentity but this is not the case.

In order to tackle this issue I have updated the name and email of the user in a regular update API call. The update works as it should. Now executing the update_identity_provider again does not give me the externalIdentity I need to make this work.

The response I get from my update_identity_provider API calls is an HTTP 204 status code without a body.

A follow-up question (if that is allowed) would be to know whether it is possible to migrate an already existing external account to a new external account after configuring a new identity provider (I have not been able to test this yet).

I would be glad to hear if there is anything I should do different.

Many thanks in advance

Sonar version: Developer Edition / Version 8.9 (build 43852)

Hi @essenter,

I’m going to ask a very stupid question, but is this the actual cURL request you made?

Because there’s a typo in it: newExternalIdentity?=newidentity@example.nl (there’s a ? before the =)

It is allowed :slightly_smiling_face:. And yes, this is possible.