Enable SSO For SonarQube on Windows Active Directory

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
  • Developer Edition
  • Version 9.4 (build 54424)
  • what are you trying to achieve
    -Enable Single Sign on with windows Active Directory
    -LDAP and Group Mapping is in use would like the users on the groups to auto sign in using SSO
  • what have you tried so far to achieve this

SSO Authentication

Enable authentication using HTTP headers

Name of the header to get the user login. Only alphanumeric, ‘.’ and ‘@’ characters are allowed

Name of the header to get the user name

Name of the header to get the user email (optional)

Name of the header to get the list of user groups, separated by comma (optional). If the SONARSSOGROUPSHEADER is set, the user will belong to those groups if groups exist in SonarQube. If none of the provided groups exists in SonarQube, the user will only belong to the default group. Note that the default group will always be set.

Interval used to know when to refresh name, email, and groups. During this interval, if for instance the name of the user is changed in the header, it will only be updated after X minutes.

Hey there.

SonarQube allows “SSO” in two ways:

  • Delegating authentication to a third-party (SAML, a DevOps platform). This still requires a manual login action, but a single identity.
  • Inferring authorization from HTTP Headers that an organization has configured to be available when a user is authenticated. No login action required.

What you’ve found in the documentation is for the latter. If you continue to use LDAP-based authorization, unfortunately, nothing is going to make it so that when a user browses to SonarQube they are “automatically” logged in. You would have to make sure the HTTP Headers are available and securely population the right information for each user on the network.

Hi Colin,
are you saying making sure the http headers are available can allow SSO with LDAP or just SSO isn’t an option?

They are two separate authentication mechanisms – HTTP Header-based authentication is the only option that will, for example, let a user browse to SonarQube and have to initiate no login-action at all. With LDAP (or another other means), your user will still have to click/type something to login.