I’ve set-up SonarQube with GitLab ALM to allow using GitLab as my identity provider, but I’ve noticed that that setting sonar.auth.gitlab.allowUsersToSignUp to TRUE allows anyone in the world with a GitLab account to click the “Log on with GitLab” button on my SonarQube logon page and have sonar-user access - hence, allowing them to view project details/source code/etc.
This is very insecure default behavior, so I’m trying to find a way to restrict who with a GitLab user account can logon to my SonarQube instance. Setting sonar.auth.gitlab.allowUsersToSignUp to FALSE and pre-creating the SonarQube user with attributes matching their GitLab user account seemed like a good workaround. Ideally, this would allow them to click “Log on with GitLab” and associate their GitLab account with the pre-created SonarQube account.
When testing this with said accounts, I get the following prompt:
The email address firstname.lastname@example.org is already associated to this user account:
By clicking on “Continue” you will associate this email address to another user account:
However, after clicking Continue - instead of granting the GitLab-sync’d user account access as expected, I get the following error:
You’re not authorized to access this page. Please contact the administrator.
Reason: ‘gitlab’ users are not allowed to sign up
Ultimately, I’d be most appreciative for a resolution to either of the following:
Is their a way to successfully associate GitLab user accounts with SonarQube user accounts and allow that user access into SonarQube?
Alternatively, is there a way to restrict who can SSO into a SonarQube instance using GitLab ALM Authentication?