Our organization has recently changed SAML providers, and we need to update all of our users.
I see in later versions that there is an API endpoint to specifically update a user’s SAML (api/users/update_identity_provider) but this does not seem to be available in 7.9.1
We have over 800 active users, each with their own unique permissions for hundreds of Projects, so re-doing permissions would be an immense effort, even if we scripted it via the API.
Is it possible to update the IDP for a user in 7.9.1?
We have a mapping of old SAML emails → new SAML emails, so we just need to update each field with the old email for each user.
Is the value of the attribute you’re using for sonar.auth.saml.user.login going to be changing for each user? If you’re using the e-mail address, I suppose the answer is yes (and you’ll need to update each user), but if not (you’re using a username, for example) then you shouldn’t have to change anything once the e-mails switch.
If it is the e-mail address, in SonarQube v7.9 LTS you should be able to just use POST api/users/update_login.
Yes, the login value (email) would be changing for each user.
My current understanding is that while the login value can be changed, the email and externalIdentity fields for a SAML user cannot be updated in 7.9.1.
If I try to update the email field, the API gives the expected error: Email cannot be updated for a non-local user
Is it your expectation that these fields would be automatically updated if login were updated to the correct value, and the user logs in? It is slightly costly in terms of effort to test this (we have to coordinate with the IDP team while not interrupting users’ service), so I’d like to know for sure that it will work before I proceed.
In my testing this morning on a v7.9 LTS instance, it all worked as expected. However, I can’t stress enough you should test this before running this in production and affecting all users.