How to Secure GitLab ALM Authentication

SonarQube 8.9.1.44547

I’ve set-up SonarQube with GitLab ALM to allow using GitLab as my identity provider, but I’ve noticed that that setting sonar.auth.gitlab.allowUsersToSignUp to TRUE allows anyone in the world with a GitLab account to click the “Log on with GitLab” button on my SonarQube logon page and have sonar-user access - hence, allowing them to view project details/source code/etc.

This is very insecure default behavior, so I’m trying to find a way to restrict who with a GitLab user account can logon to my SonarQube instance. Setting sonar.auth.gitlab.allowUsersToSignUp to FALSE and pre-creating the SonarQube user with attributes matching their GitLab user account seemed like a good workaround. Ideally, this would allow them to click “Log on with GitLab” and associate their GitLab account with the pre-created SonarQube account.

When testing this with said accounts, I get the following prompt:

The email address user.name@example.com is already associated to this user account:

user.name

By clicking on “Continue” you will associate this email address to another user account:

However, after clicking Continue - instead of granting the GitLab-sync’d user account access as expected, I get the following error:

You’re not authorized to access this page. Please contact the administrator.

Reason: ‘gitlab’ users are not allowed to sign up

Ultimately, I’d be most appreciative for a resolution to either of the following:

Is their a way to successfully associate GitLab user accounts with SonarQube user accounts and allow that user access into SonarQube?

Alternatively, is there a way to restrict who can SSO into a SonarQube instance using GitLab ALM Authentication?

Hi,
I don’t think we currently have a way to restrict the sign up of GitLab users if sonar.auth.gitlab.allowUsersToSignUp is enabled.

You could try to create a GL group with your users, enable the synchronization of groups in SonarQube and set very restrictive permissions to users outside of your group. I didn’t test this, so I’m not sure if it’d work.

Hi,

According to the message, I assume you’ve created a local account and you try to use it with GitLab.
You can’t use simultaneously 2 new authentication methods for a same account, but you should be able to change the authentication method for the account using the Web API.
I invite you to read how to “ Migrate users to a new authentication method ” in this documentation page .

Chris

1 Like