I am the administrator of a SonarQube enterprise instance (version 8.9.3) and try to setup our internal GitLab instance as SSO.
Right now we use the same LDAP tree for authentication in both SonarQube and GitLab.
I now managed to setup the integration of GitLab and SonarQube ALM basically, however am struggeling with the issue in the summary.
Whenever an existing user is trying to login via GitLab, they get the message:
You’re not authorized to access this page. Please contact the administrator.
Reason: This account is already associated with another authentication method. Sign in using the current authentication method, or contact your administrator to transfer your account to a different authentication method.
How do I transfer the account? I did not find hints in the documentation.
Unfortunately the user-ids I get via the GitLab integration are completely different from ones I had before via LDAP.
It seems SonarQube uses a concatenation of the first- and lastname where any non-ASCII characters are stripped together with a random integer as login.
In our LDAP we generally have first-character-firstname + lastname as login.
After I had transfered/migrated my user I was unable to login at all, neither GitLab nor LDAP did succeed.
Important is the externalProvider entry here. You may update the user like this: curl -u ${adminToken}: -s https://sonarqube.example.com/api/users/update_identity_provider -dlogin=tcurtis -d newExternalProvider=gitlab (I just guessed the name gitlab here)
If the identity in GitLab is different from the one in SAML/OIDC you may need to a parameter newExternalIdentity needs to be added.
There is an externalProvider called sonarqube which does use either LDAP or the internal password mechanism of sonarqube.