Enable SSO For SonarQube on Windows Active Directory

nomie788 · November 3, 2022, 2:19pm

Must-share information (formatted with Markdown):

which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)

Developer Edition
Version 9.4 (build 54424)

what are you trying to achieve
-Enable Single Sign on with windows Active Directory
-LDAP and Group Mapping is in use would like the users on the groups to auto sign in using SSO
what have you tried so far to achieve this

SSO Authentication

SONAR_WEB_SSO_ENABLE=false
Enable authentication using HTTP headers

SONAR_WEB_SSO_LOGINHEADER=X-Forwarded-Login
Name of the header to get the user login. Only alphanumeric, ‘.’ and ‘@’ characters are allowed

SONAR_WEB_SSO_NAMEHEADER=X-Forwarded-Name
Name of the header to get the user name

SONAR_WEB_SSO_EMAILHEADER=X-Forwarded-Email
Name of the header to get the user email (optional)

SONAR_WEB_SSO_GROUPSHEADER=X-Forwarded-Groups
Name of the header to get the list of user groups, separated by comma (optional). If the SONARSSOGROUPSHEADER is set, the user will belong to those groups if groups exist in SonarQube. If none of the provided groups exists in SonarQube, the user will only belong to the default group. Note that the default group will always be set.

SONAR_WEB_SSO_REFRESHINTERVALINMINUTES=5
Interval used to know when to refresh name, email, and groups. During this interval, if for instance the name of the user is changed in the header, it will only be updated after X minutes.

Colin · November 7, 2022, 10:00am

Hey there.

SonarQube allows “SSO” in two ways:

Delegating authentication to a third-party (SAML, a DevOps platform). This still requires a manual login action, but a single identity.
Inferring authorization from HTTP Headers that an organization has configured to be available when a user is authenticated. No login action required.

What you’ve found in the documentation is for the latter. If you continue to use LDAP-based authorization, unfortunately, nothing is going to make it so that when a user browses to SonarQube they are “automatically” logged in. You would have to make sure the HTTP Headers are available and securely population the right information for each user on the network.

nomie788 · November 10, 2022, 1:05pm

Hi Colin,
are you saying making sure the http headers are available can allow SSO with LDAP or just SSO isn’t an option?
Thanks

Colin · November 10, 2022, 2:09pm

They are two separate authentication mechanisms – HTTP Header-based authentication is the only option that will, for example, let a user browse to SonarQube and have to initiate no login-action at all. With LDAP (or another other means), your user will still have to click/type something to login.