I am currently integrating SonarQube Community Edition with Keycloak for authentication using SAML. Authentication is working well, but now I need to implement authorization control at the Keycloak level.
Specifically, I want to restrict access to SonarQube based on user roles or group membership defined in Keycloak. I’d like to block users who don’t have the appropriate roles from accessing SonarQube altogether. Since SonarQube Community Edition lacks some of the built-in advanced permission controls available in the commercial editions, I’m hoping to handle this on the Keycloak side.
I am aware that OpenID Connect (OIDC) offers better support for Keycloak’s authorization services, but unfortunately, SonarQube natively supports SAML and does not support OpenID Connect as a client for authentication. Because of this, I’m exploring ways to manage authorization using SAML with Keycloak.
Has anyone successfully implemented role-based access control for SonarQube Community Edition using Keycloak? If so, what approaches did you take to manage authorization? I’d appreciate any advice or examples.
Most IDPs I’m familiar with have a concept of applications have a concept of assigning a specific group/user to an application, after which only those users who meet that criteria can log in.
Keycloak does support authorization management, but primarily through OpenID. However, with SAML, there’s a limitation—it delegates the authorization step to the application (in this case, SonarQube).
While SAML is natively supported in SonarQube, OpenID is not. To use OpenID with SonarQube, a plugin is required, but the latest release I found for that plugin was from 2021. I have a concern about using it as I am running on the latest Sonarqube version.
Thanks