SonarQube and authentication with LDAP and SAML at the same time

Hello,
I’m using SonarQube 7.9.2 and trying to setup authentication with LDAP and SAML. So far LDAP has been working without any problems. But with SAML there are problems. Looks like for Sonar LDAP and SAML accounts are different accounts, even if the username is the same. Eg.:

  1. User with username “jsmith” authenticates with LDAP. His account is created in the Sonar DB, group membership and email synced etc.
  2. The same “jsmith” user authenticates with SAML. SonarQube displays the following message:
    The email address john.smith@example.com is already associated to this user account:
    jsmith
    By clicking on “Continue” you will associate this email address to another user account:
    jsmith
  3. The user is now unable to login to Sonar with LDAP account. Sonar displays “Authentication failed”. The logs show:
    web[AXNYL28YStAp+BvnAQuR][auth.event] login failure [cause|Email ‘john.smith@example.com’ is already used][method|FORM][provider|REALM|LDAP][IP|127.0.0.1|10.2.8.3][login|jsmith]

I see 2 problems here:

  1. For Sonar LDAP and SAML accounts are unique, even though the login/username is same for both.
  2. It is not possible to have more than one account with same email address.

I am a bit surprised with the problem 1, as it makes SSO unusable in our scenario. For every other tool I have configured SSO for so far, none has this problem. Is this working as designed, or is there a way to change such behaviour?

Hi Miki,

By design, any SonarQube user shall only log in via a single Identity Provider: either LDAP or SAML, but not both. You may configure both methods, but any given user shall only use one identity provider ever. This goes in the sense of having a “single source of truth” for user data - and spreading this across different identity providers is not supported. This is a conscious decision to avoid complicated or overlapping sources of this data.

Regards,
Daniel