Hello,
I’m using SonarQube 7.9.2 and trying to setup authentication with LDAP and SAML. So far LDAP has been working without any problems. But with SAML there are problems. Looks like for Sonar LDAP and SAML accounts are different accounts, even if the username is the same. Eg.:
User with username “jsmith” authenticates with LDAP. His account is created in the Sonar DB, group membership and email synced etc.
The same “jsmith” user authenticates with SAML. SonarQube displays the following message:
The email address john.smith@example.com is already associated to this user account:
jsmith
By clicking on “Continue” you will associate this email address to another user account:
jsmith
The user is now unable to login to Sonar with LDAP account. Sonar displays “Authentication failed”. The logs show:
web[AXNYL28YStAp+BvnAQuR][auth.event] login failure [cause|Email ‘john.smith@example.com’ is already used][method|FORM][provider|REALM|LDAP][IP|127.0.0.1|10.2.8.3][login|jsmith]
I see 2 problems here:
For Sonar LDAP and SAML accounts are unique, even though the login/username is same for both.
It is not possible to have more than one account with same email address.
I am a bit surprised with the problem 1, as it makes SSO unusable in our scenario. For every other tool I have configured SSO for so far, none has this problem. Is this working as designed, or is there a way to change such behaviour?
By design, any SonarQube user shall only log in via a single Identity Provider: either LDAP or SAML, but not both. You may configure both methods, but any given user shall only use one identity provider ever. This goes in the sense of having a “single source of truth” for user data - and spreading this across different identity providers is not supported. This is a conscious decision to avoid complicated or overlapping sources of this data.
I have the same issue when using GitLab Integration in the SQ developer edition. Could you introduce or explain a way on how to combine/merge one user into another so the rights get copied? I did a setup for SQ-GL merge request decoration and GL login yesterday and some of my developers already reported that they do not see their projects anymore. Also, they cannot login with their old account once they logged in with gitlab, which is a problem.
I could fix it by hand but that is tedious as I need to it for all users and their projects and it is also prone to errors.
I would be also fine with an explanation that this is (not) planned or what works and what doesn’t or how I can go forward from here.
I am facing a similar issue. We have a SonarQube instance connected to LDAP.
Now We wish to migrate it to SAML(Azure Active Directory).
When we enable SAML, It does not allow us to log in until we deactivate the LDAP user. Of course, both LDAP and SAML users have the same email address.
Similarly, When we Rollback i.e. disable SAML and enable LDAP, again it does not allow us to log in with LDAP until we deactivate SAML User.
So, Can we switch from LDAP to SAML(Azure Active Directory) and vice versa without deactivating users?
I will appreciate it if someone can help me with this as it’s a bit urgent for us to understand this, the sooner the better.
we have similar issues, AD/SAML - failure [cause|Email ‘email’ is already used][method|OAUTH2][provider|EXTERNAL|SAML][IP|10.xx.xx.xx|2xx.2xx.1xx.1, 10.xx.xxx.xxx]login[inumber.com]
Hello we are facing similar kind of we have integrated Sonar with Azure Ad using SAML SSO.
Ideally, SonarQube should consistently use the email ID for login purposes, as we typically grant access based on the user’s email ID. However, in this particular instance, the system is utilizing the users’ SHORTID, associated with their [xxxx.net]) accounts. And this is issue started happening for the new users who got onboarded to sonarqube and the system is working fine for existing users. any thoughts on this???