Mutli IDP/SSO configuration

Hello,

we are currently going through an internal split and also migration from our current IDP JumpCloud to a new IDP Microsoft EntraID.

  1. I want to ask if it is possible to configure multiple/two IDPs/SSOs in SonarQube? One with our current IDP - JumpCloud and second one with our new IDP - EntraID.

This would help us a lot with a smoother and better transition/migration from JumpCloud to EntraID.

If not possible, we would need to do this outside of working hours and make sure everything is working properly. I checked the documentation for SSO and SCIM here:

It mentions to create your own custom app.

  1. However I see that in EntraID there is SonarQube in the app gallery of Microsoft. Can I use that? Or should I rather create my own custom app?

Also, we aim to have both SSO and SCIM configured. However, with EntraID, we will be using a new domain (@monstarlab-im.com), but in SonarQube users have their old domain (@monstar-lab.com).

So in EntraID, instead of default attribute “UPN”, we would use attribute “user.mail”. This attribute will contain the user’s old email (@monstar-lab.com) which they have at the moment in SonarQube, so they will be able to login via SSO.

  1. So my next question is, if we can do this also for the SCIM provisioning and map the “user.mail” attribute in EntraID to the user’s email in SonarQube?

Thanks a lot for all your help and answers.

Hey there.

It’s only possible to have a single SAML provider at a time, sorry. :frowning:

My first recommendation is that you try this all out on a non-production instance (a copy of your production instance so you can test the migration of users)

It might work. However, I can only recommend following the official documentation.

I think the right move here won’t be to map the external identity to the user’s old e-mail, but to make sure you update the external identity of all your users (preferably by some script) before you transition the users to using the new identity provider.

Basically it would mean following this guide:

Migrating from saml to saml, but updating the external identity to be the @monstarlab-im.com e-mail address.

I’m actually quite confused by the documentation.

Why does Sonar recommend to use email address instead of UPN as the identifying attribute?

Hey @Lexy_Zhitenev

Can you point me to the specific piece of documentation you’re talking about?

Hey @Colin,

I’m actually now very confused, I’m sure I did see it somewhere.

But this link

shows this:

SonarQube uses the following attributes:

  • Login (required) A unique name to identify the user in SonarQube. The default Azure AD attribute emailaddress is used in the example. You can also use the objectID attribute.

Although the screenshot seems to be updated to use UPN, the doco still says you should use emailaddress as the login.

The reason I’m paying attention to this moment, is that because our email addresses and UPNs don’t match, so when you sign in using Azure AD / Entra ID, you may get an error because the login of the user would not match a provisioned user (but emails would).

Found it.

I configured it for 9.9 LTA: How to setup Azure AD (sonarsource.com)

It’s the same as 10.5, but the screenshots also show user.mail.

Our docs team loves docs feedback, so I’m going to shoot this over to them. :slight_smile:

1 Like

Thank you for this feedback.

I’ve created a ticket at the top of our backlog to address this inconsistency.