SAML Plugin: skip user creation for already existing users

authentication
saml
(Alex) #1

I’ve installed the SAML Plugin 1.1 for SonarQube and established a connection from SonarQube to Keycloak.

Feature request: add the possibility to not override existing users at login via SAML.

The original problem herre is: I have an admin account in keycloak with exactly the same credentials as the admin account in SonarQube. When login in to SonarQube via the SAML Plugin, the admin user from SonarQube was overridden with the admin account from Keycloak, with – and here encounters the problem – the group „ sonarqube-users “. In consequence I wasn’t able to login with administrator permissions anymore.

(Julien Lancelot) #2

Hi @alwibrm and welcome on this community !

When delegating authentication to an identity provider, this one is taking full ownership of which user can authenticate. If a user login from the identity provider matches an existing user, it will indeed override it.
This allow to easily migrate from one identity provider to another one.

Regards,
Julien Lancelot

1 Like
(Alex) #3

Hi @julienlancelot,

thanks for your warm welcome and the quick reply! That means instead of skipping the user creation in SonarQube you would recommend to assign the admin user an admin role in the identity provider and map that role to sonarqube-admin in SonarQube?

Kind regards
Alex

(Julien Lancelot) #4

Yes, it exactly what I mean and would recommend !
And you can also keep a local admin user that do not exist in the identity provider in case you need to do some admin stuff and the identity provider is down.