Skip to main content
Version: 6.14.0

Sonarqube SSO Configuration

Prerequisites

note

SmoothGlue will automatically configure the Keycloak objects documented below. This Keycloak section primarily as reference if opting out of the auto-SSO feature. Skip to SSO Configuration if not manually setting up the Keycloak client and group.

Create Keycloak Client

  1. While you are in the smoothglue realm, click on Clients under Manage in the left pane.
  2. Click Create client.
  3. Select SAML for Client type.
  4. Enter client name sonarqube for Client ID.
  5. Click on the Next button. Note: The application's FQDN name may be obtained by running kubectl get virtualservice -A
  6. Enter https://{{ application_fqdn }}/oauth2/callback/saml for Valid Redirect URIs.
  7. Click on the Save button.
  8. Go to Keys tab.
  9. Disable Client signature required -> Yes.

Creating Client Scopes

Sonarqube needs to be added in the Client Scopes.

  1. While you are in the smoothglue realm, click on Client Scopes.
  2. Click Create client scope.
  3. Enter Sonarqube for Name.
  4. Select SAML for Protocol, and click on the Save button.
  5. Go to the Mappers tab.
  6. Click on Configure a new mapper -> User Property.
  7. Enter the following information:
    1. Name - Login
    2. Property - username
    3. Leave Friendly Name blank
    4. SAML Attribute Name - login
    5. SAML Attribute NameFormat - Basic
    6. Save
    7. Click Client scope details near the top of the screen.
  8. Click on Add mapper, By configuration, User Property.
  9. Enter the following information:
    1. Name - Name
    2. Property - username
    3. Leave Friendly Name blank
    4. SAML Attribute Name - name
    5. SAML Attribute NameFormat - Basic
    6. Save
  10. Click on Add mapper, By configuration, User Property.
  11. Enter the following information:
    1. Name - Email
    2. Property - email
    3. Leave Friendly Name blank
    4. SAML Attribute Name - email
    5. SAML Attribute NameFormat - Basic
    6. Save
  12. Click on Add mapper, By configuration, Group list.
  13. Enter the following information:
    1. Name - Groups
    2. Group attribute name - groups
    3. Leave Friendly Name blank
    4. SAML Attribute NameFormat - Basic
    5. Single Group Attribute - Enabled
    6. Full group path - Enabled
    7. Save
  14. Go to Clients, and click on the sonarqube client.
  15. Go to the Client Scopes tab.
  16. Click Add client scope.
  17. Enable the Sonarqube client scope.
  18. Click Add -> Default.
  19. Click the kebab icon (3 vertical dots) on the role_list row and click Remove -> Delete.
caution

Failing to remove the role_list Client Scope will cause the SonarQube container to throw the following error when attempting to log in:

com.onelogin.saml2.exception.ValidationError: Found an Attribute element with duplicated Name

SSO Configuration

Retrieve the certificate value from the Keycloak client:

  1. As a Keycloak Admin and within the smoothglue realm, click Realm Settings on the left-hand panel.
  2. Click on the Keys tab.
  3. Click on the Certificate button on the R256 row.

When using the automated SSO SmoothGlue feature, the client ID will contain a unique prefix and will already be configured, so please omit that in the config. Add the following values to bigbang-secrets.yaml to configure SSO:

addons:
  sonarqube:
    enabled: true
    sso:
      enabled: true
      # The client ID of the Sonarqube client in Keycloak
      client_id: "sonarqube" # omit unless manually created
      # This is the RS256 key copied from Keycloak
      certificate: "<certificate>"
      # These are set to the SAML attributes defined in Client Scopes
      login: "login"
      name: "name"
      email: "email"
      group: "groups"
info

See How to Configure Big Bang Values for more information on configuring Big Bang applications.

Configure SonarQube SSO Admin Group

SonarQube will automatically create users in its datastore if they do not exist, but it will not automatically create groups. Groups MUST be manually created to have users automatically placed into them at login.

SmoothGlue comes pre-configured with a _structsureAdmins group within Keycloak for assigning users admin privileges across the platform. A System Integrator is responsible for creating the an associated group within SonarQube and assigning the correct permissions to the group.

Login with Admin Credentials

The default admin username is admin and a randomly generated password can be retrieved from the cluster. It is stored in the sonarqube-sonarqube-admin-password Kubernetes secret in the sonarqube namespace.

Create SSO Admin Group

After signing in as the default Admin account:

  1. Click Administration.
  2. Go to Security -> Groups.
  3. Click Create Group.
  4. Name the group /_structsureAdmins

Assign Admin Privileges to SSO Admin Group

After signing in as the default Admin account:

  1. Click Administration.
  2. Go to Security -> Global Permissions.
  3. For the /_structsureAdmins group, assign all of the permissions that the sonar-administrators has.