This plugin allows the delegation of SonarQube authentication and authorization to Microsoft Active Directory. It automatically logs in user using Single Sign On (SSO) with Active Directory Credentials in Microsoft Active Directory Environments. Active user's windows domain credentials are used to login to SonarQube.
During the first authentication trial, the SonarQube database is automatically populated with the new user. Each time a user logs into SonarQube, the username, the email and the groups this user belongs to that are refreshed in the SonarQube database.
Warning
This plugin is only working on Windows OS
For negotiate authentication to work in SSO the following steps need to be followed:
setspn -L username
setspn -S HTTP/<machine>:<port> <machine>setspn -S ContosoDev:9000 ContosoDev| Property | Description | Default value | Mandatory | Example |
|---|---|---|---|---|
| sonar.security.realm | To first try to authenticate against the external sytem. If the external system is not reachable or if the user is not defined in the external system, the authentication will be performed through the SonarQube internal system. | None | Yes | ACTIVE_DIRECTORY (Only possible value) |
| ldap.windows.group.downcase | Set to true to return the group names in lowercase. Note that this setting will be ignored if ldap.windows.compatibilityMode is set to true | true | No | true or false |
| ldap.windows.sso.protocols | Protocol to be used during SSO for user authentication. Eg. "Negotiate NTLM". Note: It is recommended to use Negotiate protocol in production environments. Kerberos configuration steps have to be completed before using Negotiate protocol for authentication see Pre-requisites for Negotiate Protocol in SSO | NTLM | No | NTML, Negotiate |
| ldap.windows.compatibilityMode | Property to tell the plugin to run windows auth in compatibility mode. I.e. it will support all the : Authorization done using user-id/group-id in 1.4 version of the plugin, Customization done in user profile | false | no | true or false |
| ldap.group.idAttribute | Property used to specify the attribute to be used for returning the list of user groups in the compatibility mode. | cn | No | sAMAccountName |
# Active Directory configuration
sonar.security.realm=ACTIVE_DIRECTORY
#Following are set by default and need not be configured explicitly
#ldap.windows.groups.downcase=true
#ldap.windows.sso.protocols=NTLM
#ldap.windows.compatibilityMode=false
#ldap.group.idAttribute=cn
Only groups are supported. Only static groups are supported (not dynamic groups).
Membership in Active Directory will override any membership locally configured in SonarQube. Active Directory becomes the one and only place to manage group membership (and the info is fetched each time the user logs in). For the delegation of authorization, groups must be first defined in SonarQube.
Below table illustrates the support for different types of active directory groups based on different modes of the plugin.
| Groups type | Non-Compatibility Mode | Compatibility Mode |
|---|---|---|
| Domain Security Groups | Yes | Yes |
| Domain Nested Security Groups | Yes | No |
| Cross-domain Security Groups | Yes | No |
Groupname format
groups read in AD have the groupname@domain syntax. Note the lower case as ldap.windows.group.downcase defaults to true. Since groups must be defined in SonarQube for Group Mapping to work, make sure to define them in this groupname@domain form.
Username format
usernames have the following format: username@domain
If you have an existing setup of LDAP Plugin in an Active Directory environment, you have two options.
Option 1: Move to the new model. (Recommended)
Option 2: Keep using the old model and add the following to the sonar.properties
# LDAP configuration
sonar.security.realm=ACTIVE_DIRECTORY
ldap.windows.compatibilityMode = true