Single Sign On (SSO) and LDAP integration (e.g. using HTTP Headers and NGINX)

ldap
authentication
sso

(Yatheesh) #1

Hi Team,

I have a requirement to set up Single Sign on for SonarQube using HTTP headers and reverse proxy as NGINX
So the idea is , machine login takes the ldap to authenticate, when I launch Sonar Qube, it should authenticate with the help of ldap using SingleSignOn mechanism.
LDAP authentication perfectly working fine. It is able to fetch the groups as well

There is no proxy/firewal blocking this. This is the POC I m doing in my local machine

SonarQuebe version : 6.7.4 (build 38452) - LGPL v3 - Community
ldap plugin: sonar-ldap-plugin-2.2.0.608.jar
nginx version: nginx/1.15.0

sonar.properties for integrating sos using HTTP headers

# SSO AUTHENTICATION

# Enable authentication using HTTP headers
sonar.web.sso.enable=true

# Name of the header to get the user login.
# Only alphanumeric, '.' and '@' characters are allowed
sonar.web.sso.loginHeader=X-Forwarded-Login

# Name of the header to get the user name
sonar.web.sso.nameHeader=X-Forwarded-Name

# Name of the header to get the user email (optional)
sonar.web.sso.emailHeader=X-Forwarded-Email

# Name of the header to get the list of user groups, separated by comma (optional).
# If the sonar.sso.groupsHeader is set, the user will belong to those groups if groups exist in SonarQube.
# If none of the provided groups exists in SonarQube, the user will only belong to the default group.
# Note that the default group will always be set.
sonar.web.sso.groupsHeader=X-Forwarded-Groups

# Interval used to know when to refresh name, email and groups.
# During this interval, if for instance the name of the user is changed in the header, it will only be updated after X minutes.
sonar.web.sso.refreshIntervalInMinutes=5

nginx configuration

server {
    listen       443 ssl;
    server_name  Yatheesh-MBP;

    ssl_certificate      /etc/ssl/certs/myssl.crt;
    ssl_certificate_key  /etc/ssl/private/myssl.key;


location / {
         proxy_pass http://localhost:9000;
#        root   html;
#        index  index.html index.htm; 
    }
}

How do I see the value of below

X_FORWARDED_PROTO:
X-Forwarded-Login:
X-Forwarded-Name: 
X-Forwarded-Email: 
X-Forwarded-Groups: 

Could you please guide / help me on this tp set up SSO for sonar Qube using HTTP headers + Nginx as reverse proxy
Also let me know if this version of Sonar Qube supports SSO. if not what is the version which supports.
And what are the supported SSO solutions available for SonarQube

Thanks in advance.


(Yatheesh) #3

here it says supported
https://www.sonarqube.org/sonarqube-6-7-lts/#sso-support


(Nicolas Bontoux) #4

Hi Yatheesh,

One aspect which is not clear to me here is why do you try to combine LDAP with SSO. Especially as in the context of SonarQube: Authentication via HTTP Headers (sso properties in sonar.properties) and LDAP authentication are two completely distinct capabilities for SonarQube. Both are around authentication sure, but they are different capabilities, that cannot be complemented one each other. In short:

  • if you wish to fully delegate authentication/authorization to your frontend , then that’s what authentication via HTTP header can do (and yes it’s available in v6.7). You’re responsible for implementing authentication logic at reverse-proxy level, and then SonarQube simply trusts incoming headers.

  • if you wish to simply integrate SonarQube with your LDAP/AD server, then the LDAP Plugin is the way to go. You can still use a reverse-proxy for security purpose (e.g. HTTPS interface), but the authentication logic itself will be handled in SonarQube by the LDAP Plugin.

It’s first important to understand how distinct those approaches are. Especially as:

That means you’re able to roll with that. If you’re rather interested in SSO capabilities though, then you need to gather nginx -specific knowledge on authenticating at nginx level, and filling http headers accordingly.

Best regards,
Nicolas


(Yatheesh) #5

Hi Nicolas,

Thanks for the information.
my understanding was wrong. Now I understood the flow.
Let me try integrating ldap at nginx level and will use http headers in sonarqube to trust the incoming headers from nginx.

Could you please let me know if there is any other SSO integration solutions available for Sonarqube other than the above one.

Thanks
Yatheesh


(Yatheesh) #6

Hi Nicolas,
I am looking for SSO integrations solutions with ldap authentication for SonarQube
Please list me the solutions available
Also list the other SSO solutions which does not authenticate though LDAP for SonarQube


(Nicolas Bontoux) #7

Hi Yatheesh,

Available authentication mechanisms are documented here: https://docs.sonarqube.org/display/SONAR/Authentication .

At high-level, SSO remains a concept, i.e. the concept of having unique credentials and logging-in seamlessly in applications. Considered as such, one can therefore explore the following approaches:

  • LDAP Plugin: allowing for unique company-wide credentials for SonarQube users. And the SonarQube session tracking, and inactivity timeout would then keep the user logged-in for quite a while if he regularly uses the server.

  • HTTP header authentication (referred to as sso in sonar.properties), which allows for common centralized authentication shared by multiple backend applications. This does require advanced configuration on reverse-proxy side, and advanced setup of infra/network setup, all beyond pure SonarQube scope.

  • potential lightweight custom integration (via a custom plugin, using OAuth2IdentityProvider extension point) allowing for a one-click-login that would call an SSO backend (see example on https://sonarcloud.io/sessions/new , with example open code for GitHub Authentication ).


(Yatheesh) #9

Hi Team,

Thanks for the details !
We are looking for Single Sign On Solution by using SAML for SonarQube
We would like to know whether SAML SSO supported by SonarQube ?
Could you please guide us on how to integrate SAML SSO for Sonar Qube if the below version of SonarQube supports.

Instance details
SonarQube™ technology is powered by SonarSource SA
Version 6.7 (build 33306) - LGPL v3 - Community