Making SAML 2.0 SSO the primary login method

Current Configuration:

  • SonarQube version - 6.7.3 (Windows Server 2016 & IIS 10.0)
  • SAML 2.0 Plugin version - 1.1.0 (build 181) currently configured (and working) with Azure Active Directory
  • LDAP Plugin version - 2.2 (build 608) currently configured (and working) with on-premise domain controllers
  • Administration > Security > Force user authentication = Enabled


We would like to make SAML 2.0 SSO the primary method of logging in users. Currently, with forced user authentication, the end user has a choice between clicking the button to logon via SAML or a “more options” link which displays a login form. Is it possible to initiate the SAML 2.0 automatically process when browsing to

Troubleshooting Steps Taken:

The LDAP plugin has been uninstalled however, the user is still has to make a choice for login. I am assuming because the local Administrator account that is built-in still exists. I am not opposed to setting a redirect in IIS to but figured this might break scanning functionality.

Has anyone done this successfully? Is there any way to set SAML 2.0 as the primary authentication method natively in SonarQube?

Hi Keith,

To be honest, I would personally prefer OpenID Connect over SAML for new applications. You can google about the comparison and also understand why Microsoft loves OIDC :slight_smile:

If you want to restrict users authentication choice, you can also implement this using proxy/web server based SSO. In this method, your proxy/web server may be configured with your Identity Provider/IdP (Azure AD) with SAML or OpenID Connect, and your web server will authenticate the user and communicate the user information via HTTP headers using delegating authentication available in SonarQube.

You can find more details below.

User <-> Proxy WebServer <-> SonarQube Server

Also, please make sure that you have an account with admin privileges available with IdP authentication.

If you need more information, please let us know.

Thank you,


Tweak “C:\Program Files\SonarQube\web\index.html”
Insert the following js code snippet at the bottom of the file just before the </body></html> tags:

<script type="text/javascript">

if(location.href.indexOf("/sessions/unauthorized")>0){window.setTimeout(function(){window.location.href = "/sessions/new?return_to=locallogin";},4000);}


When user navigates to sonarqube, the url is forwarded to saml authentication ("/sessions/init/saml?return_to=")
When user is connected to sonarqube and logs out, url ‘/sessions/logout’ is trapped using document.referrer (browser history) and forwarded to ‘sessions/new/return_to=locallogin’. The locallogin part in the url prevents the above code to auto-forwarded to saml authentication. Without it, you would never be able to logout and use other options such as a local account