User login not deterministic after update to 8.1 with SAML authentication


We updated our instance of SonarQube Community from 7.9.2 to 8.1 (
We relied on the behavior where the login parameter of a user was extracted from the SAML identity (with the configuration key "SAML user login attribute sonar.auth.saml.user.login").
In 8.1 the login parameter is automatically generated; this is confirmed in SONAR-12475 and this commit.

This has broken our group sync workflow: we want to synchronize the groups between our GitHub organization and our SonarQube instance. We use the SAML authentication on both GitHub and SonarQube. When synchronizing the users we only have access to the SAML identity from GitHub, not their corporate email, so we were searching SonarQube with the login parameter (the API GET api/users/search indicates that we can search for login, name and email).
Now that user login is randomly generated by SonarQube (and impossible to update, see SONAR-12531), we cannot search our users anymore.

Can you revert this behavior? Is there a way for us to work around it?

Thanks in advance.

Hi @nymous,

In fact you can update the generated login by using api/users/update_login.

The reason why logins are now automatically generated is that in case multiple ALMs are used, we want to prevent any situation where 2 identical logins could be generated.

Maybe that another way to solve your issue would be to allow api/users/search to search by the login from the ALM.
WDYT of this ?

Oh OK, I thought this update_login API was deprecated, that’s my bad.

Being able to search by externalIdentity would be great!

Wait, actually we have another issue with our process ^^’
We used to provision user accounts ahead-of-time (from the user list in a GitHub group), so that when a new user logs in for the first time his SAML account is merged with the local Sonar account and gets the groups.
Now that a SAML Sonar user gets a random login, the local and SAML accounts are not merged anymore, and the newly connected user has no group and no rights.

How could we do this provisioning now?

It’s not possible to merge an existing local Sonarqube account with an account coming from an identity provider.
Are you using the group mapping feature? Because this feature is used to allow a new user to be automatically granted to the correct projects.

A similar question was asked in How to pre-create users who will authenticate via an Identity Provider with SQ 8. Maybe voting for SONAR-13930 Allow migration of authentication system may help here :slight_smile: