I am the administrator of a SonarQube enterprise instance (version 8.9.3) and try to setup our internal GitLab instance as SSO.
Right now we use the same LDAP tree for authentication in both SonarQube and GitLab.
I now managed to setup the integration of GitLab and SonarQube ALM basically, however am struggeling with the issue in the summary.
Whenever an existing user is trying to login via GitLab, they get the message:
You’re not authorized to access this page. Please contact the administrator.
Reason: This account is already associated with another authentication method. Sign in using the current authentication method, or contact your administrator to transfer your account to a different authentication method.
How do I transfer the account? I did not find hints in the documentation.
Unfortunately the user-ids I get via the GitLab integration are completely different from ones I had before via LDAP.
It seems SonarQube uses a concatenation of the first- and lastname where any non-ASCII characters are stripped together with a random integer as login.
In our LDAP we generally have first-character-firstname + lastname as login.
After I had transfered/migrated my user I was unable to login at all, neither GitLab nor LDAP did succeed.
Important is the externalProvider entry here. You may update the user like this: curl -u ${adminToken}: -s https://sonarqube.example.com/api/users/update_identity_provider -dlogin=tcurtis -d newExternalProvider=gitlab (I just guessed the name gitlab here)
If the identity in GitLab is different from the one in SAML/OIDC you may need to a parameter newExternalIdentity needs to be added.
There is an externalProvider called sonarqube which does use either LDAP or the internal password mechanism of sonarqube.
Hi, I made migration from OIDC to gitlab as it was described above. But I have the same error. Logs in debug mode says my that email is already in use… Of course it’s in use. I have the user with this email and I want to change authentication from openID to gitlab… Maybe someone had such problem, when you did migration through API, but it’s still doesn’t working?
we recently switched all users from LDAP to SAML using the API call as outlined above and that did succeed. We defined a local admin user and used that one to change all entries (in our case we have SAML with 2FA which is used for humans and still use LDAP for so called service accounts used during CI which are able to login via basic auth).
Thank you for an answer. Tell me please, you just call for every account something like this:
curl -X POST -v -u XXX_local_admin_token_hereХХХ: “https://my_domain.com/sonarqube/api/users/update_identity_provider?login=53306&newExternalProvider=gitlab”
Keep users email as is and just login with account with other external authentication provider?
No user deactivation, no changing fields in sonarqube db, no other magic tricks? If so, it defenetly doesn’t work in my case… I tried change auth provider both api-way and changing db fields… No result…
2023.09.27 17:39:50 DEBUG web[AYYdfdds544gfdSSddf44][auth.event] login failure [cause|Email ‘user.name@mydomain.com’ is already used][method|OAUTH2][provider|EXTERNAL|GitLab][IP|127.0.0.1|][login|xx.username]
However, in our case the old login with LDAP and the externalIdentity with SAML are identical, so we just did added newExternalIdentity=${login} in the POST.
Maybe you need to update the login afterwards? There is api/users/update_login as well.
For me it also took a bit of time to understand that I have to update the ExternalIdentity field as well.
Using the api 2 version, this call worked for me:
.