Making SAML 2.0 SSO the primary login method

authentication
sso
saml

(Keith Craley) #1

Current Configuration:

  • SonarQube version - 6.7.3 (Windows Server 2016 & IIS 10.0)
  • SAML 2.0 Plugin version - 1.1.0 (build 181) currently configured (and working) with Azure Active Directory
  • LDAP Plugin version - 2.2 (build 608) currently configured (and working) with on-premise domain controllers
  • Administration > Security > Force user authentication = Enabled

Goal:

We would like to make SAML 2.0 SSO the primary method of logging in users. Currently, with forced user authentication, the end user has a choice between clicking the button to logon via SAML or a “more options” link which displays a login form. Is it possible to initiate the SAML 2.0 automatically process when browsing to https://sonar.companydomain.com?

Troubleshooting Steps Taken:

The LDAP plugin has been uninstalled however, the user is still has to make a choice for login. I am assuming because the local Administrator account that is built-in still exists. I am not opposed to setting a redirect in IIS to https://sonar.companydomain.com/sessions/init/saml?return_to=%2F but figured this might break scanning functionality.

Has anyone done this successfully? Is there any way to set SAML 2.0 as the primary authentication method natively in SonarQube?


(Vinod Anandan) #2

Hi Keith,

To be honest, I would personally prefer OpenID Connect over SAML for new applications. You can google about the comparison and also understand why Microsoft loves OIDC :slight_smile:

If you want to restrict users authentication choice, you can also implement this using proxy/web server based SSO. In this method, your proxy/web server may be configured with your Identity Provider/IdP (Azure AD) with SAML or OpenID Connect, and your web server will authenticate the user and communicate the user information via HTTP headers using delegating authentication available in SonarQube.

You can find more details below.

User <-> Proxy WebServer <-> SonarQube Server

https://docs.sonarqube.org/latest/instance-administration/delegated-auth/

Also, please make sure that you have an account with admin privileges available with IdP authentication.

If you need more information, please let us know.

Thank you,

Vinod