which versions are you using (SonarQube Server / Community Build, Scanner, Plugin, and any relevant extension)
how is SonarQube deployed: zip
what are you trying to achieve: Disable automatic account creation and access to Sonarqube for unauthorized users.
what have you tried so far to achieve this:
Force authentication enabled
All projects/applications marked as private.
No privileges granted for sonar-users group on any projects/applications/templates etc.
New Users (never registered with sonar) are still able to access sonarqube. Sonarqube creates new account for the user and associates with sonar-user group. Projects/portfolios/issues doesnt show project scan details/report however, user can see quality profiles and quality gates. What are we trying to accomplish: Any new user who never registered with sonar before should be blocked coming into sonarqube. Only admins should be able to user accounts
Your Identity Provider (IdP) is responsible for managing user identities and controlling access to applications, such as SonarQube. It verifies the identity of users attempting to access a system and decides whether to grant or block access based on predefined policies.
This can include allowing access only to certain groups of users. For example, with Microsoft Entra, you can assign specific users or groups access to applications, which helps ensure that only authorized users can access SonarQube.
I suggest you go back to your IdP and understand why it’s granting access to all users!
Our IDP only verifies if the user is authorized user at an organization level. Anyone come to sonar is a valid org user since sonar is only accessible from org devices. We need to prevent sonar creating user and associating user to sonar_users group when some one unknown comes. Is there a way?
In these cases, your IDP is typically responsible for handling both authentication (is this a valid user) and authorization (does this user have access to this application).
If no users can sign up, what will you do when you have a new user who needs access?
Hi Colin, Thanks for the response. How can we move authorization outside of sonar? Sonar manages user groups. Access control is given to users and user groups within sonar.
We do not want users to signup (selfservice) rather we would like admins to add users to sonar manually due org level policies.
I did check with our F5 team. F5 team cant read users or groups from sonar as those are local to sonar. Our sonar installation does not integrate with any directory service (AD/LDAP). F5 team says if sonar and F5 has common directory service, they will be able to read. F5 sends sonar with User email and sonar is creating a new account based on that. How can have sonar not create new user.
greatly appreciate your insight.
I’m sorry, but I don’t have anything to add beyond what I’ve already mentioned. When SonarQube communicates with your SAML provider, it’s the SAML provider that has the authority to allow or deny access.
In the absence of any restrictions being set here, if a user successfully authenticates an account will be created.
What you’re describing sounds like you might using F5 to handle authentication at a proxy level. Are you sure you’re using SAML, and not HTTP Header Authentication?
I am sorry… forgot to mention the update. I initially thought we are using SAML but we are not. We have HTTP Header Authentication and F5 adding headers