Disable Auto creation of Account and association with sonar users group

SonarQube Server / Community Build
1

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube Server / Community Build, Scanner, Plugin, and any relevant extension)
  • how is SonarQube deployed: zip
  • what are you trying to achieve: Disable automatic account creation and access to Sonarqube for unauthorized users.
  • what have you tried so far to achieve this:
  1. Force authentication enabled
  2. All projects/applications marked as private.
  3. No privileges granted for sonar-users group on any projects/applications/templates etc.

New Users (never registered with sonar) are still able to access sonarqube. Sonarqube creates new account for the user and associates with sonar-user group. Projects/portfolios/issues doesnt show project scan details/report however, user can see quality profiles and quality gates.
What are we trying to accomplish: Any new user who never registered with sonar before should be blocked coming into sonarqube. Only admins should be able to user accounts

2

Hey there.

If a user successfully authenticates with SonarQube (well, the identity provider that you’ve hooked up to SonarQube), a user will be created.

What identity provider are you using? LDAP? SAML? Something else?

For LDAP, you can craft a nifty ldap.user.request that only allows a user to login if they belong to a specific AD group.

ldap.user.request=(&(objectClass=user)(sAMAccountName={login})(memberOf=CN=YourGroupName,CN=Users,DC=yourdomain,DC=com))
3

Hi Colin,

Thanks for the response. We use SAML and F5 as service provider.

4

Your Identity Provider (IdP) is responsible for managing user identities and controlling access to applications, such as SonarQube. It verifies the identity of users attempting to access a system and decides whether to grant or block access based on predefined policies.

This can include allowing access only to certain groups of users. For example, with Microsoft Entra, you can assign specific users or groups access to applications, which helps ensure that only authorized users can access SonarQube.

I suggest you go back to your IdP and understand why it’s granting access to all users!

5

Our IDP only verifies if the user is authorized user at an organization level. Anyone come to sonar is a valid org user since sonar is only accessible from org devices. We need to prevent sonar creating user and associating user to sonar_users group when some one unknown comes. Is there a way?

6

In these cases, your IDP is typically responsible for handling both authentication (is this a valid user) and authorization (does this user have access to this application).

If no users can sign up, what will you do when you have a new user who needs access?

7

Hi Colin, Thanks for the response. How can we move authorization outside of sonar? Sonar manages user groups. Access control is given to users and user groups within sonar.
We do not want users to signup (selfservice) rather we would like admins to add users to sonar manually due org level policies.

Thank you
Venkat

8

I think that in the world of F5, you would use something like this: F5 BIG-IP Access Policy Manager | F5