- ALM used: Azure DevOps
- CI system used: Azure DevOps
- Scanner command used when applicable: n/a
- Languages of the repository: n/a
- Steps to reproduce:
- Login to organisation as an owner
- Go to the Members tab
- Click ‘Add a member’
- Search users by login or name (we would like to limit users to the organisation’s domain name)
- Potential workaround: unknown
Hi, we are an organisation with 100s of developers. We are using Azure DevOps and Azure Cloud so developers already have an Azure DevOps login which is linked to our AAD identity server. A risk has been identified with the SonarCloud platform given that users from outside our domain can be accidently added to the organisation. For example if John Doe has a personal GitHub account and an Azure DevOps account linked to the organisation’s domain, then it is possible that the wrong account is added as an organisation member. Our security architect have asked us to restrict members of the organisation to users who have been authentcated via our AAD identity provider. However, I cannot see how this is possible.
Can you please advise if there is a solution that will satisfy our security requirements?
Hi @warner-godfrey and welcome to the community,
Adding members on SonarCloud’s organization is done with usernames (with are unique accross all SonarCloud).
Altough all of them can be added, names are self-explaining , with, depending on the identity provider that user has created an account, it is suffixed : @github for gitHub, …so the mistakes shall be minimal, it just requires extra attention from the admin that is managing that i guess. And we don’t have currently a binding between Azure DevOps organization and SonarCloud, so that’s not possible to restrict the list of users to your AzDo orga only.
Thanks for the quick response.
Unfortunately when we authenticate via Azure DevOps using our domain credentials the usernames are not self explaining. Usernames have the format firstname-lastnameXXXXX and do not have an ALM suffix. Rather, the suffix appears to be a 5 digit non-sequential number and this issue has already been raised in the forum https://community.sonarsource.com/t/login-user-name-when-using-login-with-azure-devops/9997.
So, it is not obvious that the user has come from Azure DevOps and the possibility of mistakes is high enough that SonarCloud may fail our security assessment. Are there any proposed features on the roadmap that will address this issue?
We will soon have a strong binding between Azure DevOps organization and SonarCloud orgs, but no ETA to give you yet, unfortunately.
Thanks @mickaelcaro for the update. We may have to look into a self hosted instance with LDAP for now.
Hey @mickaelcaro , I’m also forward to seeing this capability!