Issue updating user to external provider login via api

Attempting to create users prior to them logging in so we can automate assigning permissions. At first we tried the api to create a user as local false then login with aad for that same user. What ended up happening is the database got two entries for the same user so that was a fail. Then we tried creating the user and specifying the externalProvider as aad, but the api ignores the value. Then we tried creating the user as local false, then calling the update_identity_provider for the user. That resulted in the error below. We do not use the LDAP plugin, only the AAD plugin as it is more secure. It seems SonarQube tries to get in the way of creating a user before they login with the external provider which really should not be a requirement. Can someone help?

Template for a good bug report, formatted with Markdown:

  • versions used (SonarQube, Scanner, Plugin, and any relevant extension)
  • error observed (wrap logs/code around triple quote ``` for proper formatting)
{“errors”:[{“msg”:“A user with provider id 'xxx’ and identity provider ‘aad’ already exists”}]}

We verified the user only has externalProvider set as 'sonarqube' so not sure why it would be giving us this error.
  • steps to reproduce
    call webapi to create user as local false
    call /users/update_identity_provider to update the user with newExternalProvider = aad
  • potential workaround
    P.S.: use the #bug:fault sub-category if you’re hitting a specific crash/error , or the #bug:fp sub-category for rules-related behaviour


Welcome to the community!

I’m moving this to the Suggest New Features category, since there’s no functionality to provision users.

That said, I want to point out that by delegating group authorization, you can pre-configure users’ permissions by setting their groups in your external provider.


Hello @buddhamangler ,

Could you share exactly what WS calls (exact request body if possible) and what DB state (select * from users where external_identity_provider = 'aad') you currently have?

Also could you send a result of this WS call api/users/identity_providers?

I’ve tried to reproduce your issue with fresh SQ instance, but with different identity provider saml in my case, but it shouldn’t matter AFAIK with following steps:

  1. Create user with local set to false
  2. Use update identity user
  3. Log in using with external identity provider succeeded

No issue has arisen.

@buddhamangler Were you able to fix the issue?