SONARQUBE SSO Implementation

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
  • what are you trying to achieve
  • what have you tried so far to achieve this

SonarQube version - 8.9 LTS
We already have the AAD plugin
I am trying to implement SSO on SONARQUBE . But I am unable to do it .
Under Administration → Azure Active Directory ,
Group Synchronization is disabled .
Should I enable that ? Or it will create a disaster and all the groups of AD will get lost in Sonarqube .
Please guide me should I proceed or not .

Hi,

Welcome to the community!

So you know, that plugin isn’t maintained or supported by SonarSource. In fact based on the repo, it’s not clear to me that it’s currently maintained at all (altho to be fair, it’s perfectly possible that no changes have been needed in the last 2 years).

Aaand you may be interested in the fact that Microsoft appears to recommend using SAML here.

And to answer your question, it shouldn’t be possible to mess up anything in AD by turning on groups synchronization in SonarQube. That feature simply updates the SonarQube-local copy of the user record with a current set of user groups (copied from AAD) at each login.

 
HTH,
Ann

There are already groups in Active Directory which are in synch with SONARQUBE.
So my question is that , if I enable that Group Synchronization , will it affect already existing group ? Will the Group and permission break ?

Hi,

The docs lay it out pretty clearly:

When using group mapping, the following caveats apply regardless of which delegated authentication method is used:

  • membership in synchronized groups will override any membership locally configured in SonarQube at each login
  • membership in a group is synched only if a group with the same name exists in SonarQube
  • membership in the default group sonar-users remains (this is a built-in group) even if the group does not exist in the identity provider

When group mapping is configured, the delegated authentication source becomes the one and only place to manage group membership, and the user’s groups are re-fetched with each log in.

 
HTH,
Ann

I am not following that document . I am following this process -

Also I have another question . What if the group Synchronization is already enabled and I first disable it and then enable . Then how it will affect the existing group ?will it overwrite the group or create another copy of all group?

Hi,

Your question is answered in the official SonarQube documentation:

When group synchronization is on, the user’s groups are updated from the source at each login.

 
Ann

Yes I did enable Group Synchronization and I didn’t face any problem after that . But , the main thing is still not resolved .

  1. What I am doing now - clicking on More Option and then login with my credentials.

  2. What I want to do - clicking on ‘Login with Microsoft’ and it will sign me in inside SonarQube .

Please help me

Hi,

Sorry, but that level of integration just isn’t available for AAD.

 
Ann