Overview
SonarQube can delegate authentication via HTTP Headers, GitHub Authentication, GitLab Authentication, Bitbucket Cloud Authentication, SAML, or LDAP.
SonarQube comes with its own user database, as well as the ability to delegate authentication via protocols and providers. Each method offers:
- user identity management 
- authentication 
- user and group provisioning 
- group synchronization (optional for JIT provisioning) 
Supported authentication methods
You can use one of the following authentication methods to allow the same authentication between SonarQube and your authentication system:
- HTTP header 
- LDAP 
- SAML with: - Azure AD 
- Keycloak 
- Okta 
 
- GitHub 
- Bitbucket Cloud 
- GitLab 
Using an authentication method that is not supported by SonarQube can lead to a security breach. Sonar declines any responsibility in this regard.
User, group and permissions provisioning
There are two ways of provisioning users and groups in SonarQube: Just-in-Time (JIT) and automatic provisioning.
In both cases, permissions themselves are still managed in SonarQube. The most effective way to handle permissions is to give permissions to groups (vs. individual users) directly and/or use Security #Permission templates for default permissions, then manage group membership using one of the provisioning methods.
Just-in-Time provisioning
This is the default provisioning method. User accounts are created in SonarQube when users log in for the first time. Groups must be manually created by administrators. However, memberships are automatically updated at each user login.
Group synchronization
When using group synchronization, the following details apply regardless of which delegated authentication method is used:
- Memberships in a group are synchronized only if a group with the same name exists in SonarQube. Administrators must first Security. 
- Memberships in synchronized groups override any membership configured locally in SonarQube. When enabling group synchronization, manually added group memberships get reset. 
- Memberships in the default built-in sonar-users group remain even if the group does not exist in the identity provider. 
For specific details about group synchronization, refer to each provider’s group synchronization section.
Automatic provisioning
Users and groups are automatically synchronized using the identity provider as the source of truth.
The main benefit compared to Just-in-Time provisioning is that user and group deprovisioning also happens automatically and does not require administrator intervention.
SonarQube enables automatic provisioning for the following providers:
- Starting in Enterprise Edition: - SCIM provisioning with Azure AD and SCIM provisioning with Okta (through the Overview): Group and user synchronization. 
 
- Starting in Developer Edition: 
Local vs Managed users
If the automatic provisioning mode is enabled in SonarQube:
- The auto-provisioned users are called Managed users. 
- All other users (i.e., manually created users, or through another identity provider Just-in-Time-provisioned users), are called Local users. 
The actions you can perform on local users are restricted as follows:
- You cannot change user passwords. 
- You can remove but not add a project’s permissions to local users. However, you can still define default project permissions with the Security #Permission templates for default permissions. 
- You can remove but not add local users to a local group. 
- You can still deactivate local users and remove local groups. 
Revoking tokens for deactivated users
When SonarQube authentication is delegated to an external identity provider, deactivating a user on the identity provider side does not remove any tokens associated with the user on the SonarQube side. We recommend deactivating the user in SonarQube at Administration > Security > Users by selecting Deactivate from the drop-down menu to ensure tokens associated with that user can no longer be used.
Delete users’ personal information
SonarQube offers the possibility to anonymize the data of deactivated users. This comes in handy when you want to ensure that the personal data of deactivated users is not retained, for example, for legal compliance.
You can delete a user’s personal information by following the steps listed above to revoke tokens for any deactivated users and select the checkbox titled Delete user’s personal information.
You can also delete personal information using the API. First, the user needs to be deactivated, then an admin can use the web service /api/users/anonymize and pass to it the login of a deactivated user to replace all personal data of the user with anonymized data. Note that the admin is able to retrieve the logins of deactivated users by using /api/users/search endpoint with the appropriate parameter.
This feature has the following limitations:
- Deleting the personal information of a user will change their login, making it impossible to reactivate the user by recreating a user with the old login. 
- The user’s login may still be stored in issue changelogs and the user’s login, name, and email address may still be stored in audit entries. Audit entries are purged by default after 30 days. 
- Deleted users may still appear in the list of authors and other locations due to SCM data. 
- Some columns in the database may contain parts of the user’s login if the user was created before the instance was upgraded to SonarQube 8.3. 
Last updated
Was this helpful?

