SonarQube and authentication with LDAP and SAML at the same time

I’m using SonarQube 7.9.2 and trying to setup authentication with LDAP and SAML. So far LDAP has been working without any problems. But with SAML there are problems. Looks like for Sonar LDAP and SAML accounts are different accounts, even if the username is the same. Eg.:

  1. User with username “jsmith” authenticates with LDAP. His account is created in the Sonar DB, group membership and email synced etc.
  2. The same “jsmith” user authenticates with SAML. SonarQube displays the following message:
    The email address is already associated to this user account:
    By clicking on “Continue” you will associate this email address to another user account:
  3. The user is now unable to login to Sonar with LDAP account. Sonar displays “Authentication failed”. The logs show:
    web[AXNYL28YStAp+BvnAQuR][auth.event] login failure [cause|Email ‘’ is already used][method|FORM][provider|REALM|LDAP][IP||][login|jsmith]

I see 2 problems here:

  1. For Sonar LDAP and SAML accounts are unique, even though the login/username is same for both.
  2. It is not possible to have more than one account with same email address.

I am a bit surprised with the problem 1, as it makes SSO unusable in our scenario. For every other tool I have configured SSO for so far, none has this problem. Is this working as designed, or is there a way to change such behaviour?

1 Like

Hi Miki,

By design, any SonarQube user shall only log in via a single Identity Provider: either LDAP or SAML, but not both. You may configure both methods, but any given user shall only use one identity provider ever. This goes in the sense of having a “single source of truth” for user data - and spreading this across different identity providers is not supported. This is a conscious decision to avoid complicated or overlapping sources of this data.


1 Like

I have the same issue when using GitLab Integration in the SQ developer edition. Could you introduce or explain a way on how to combine/merge one user into another so the rights get copied? I did a setup for SQ-GL merge request decoration and GL login yesterday and some of my developers already reported that they do not see their projects anymore. Also, they cannot login with their old account once they logged in with gitlab, which is a problem.
I could fix it by hand but that is tedious as I need to it for all users and their projects and it is also prone to errors.
I would be also fine with an explanation that this is (not) planned or what works and what doesn’t or how I can go forward from here.

Best Regards