Skip to main content
Version: 6.13.0

Sonarqube SSO Configuration

Prerequisites

Create Keycloak Client

  1. While you are in the smoothglue realm, click on Clients under Manage in the left pane.
  2. Click Create client.
  3. Select SAML for Client type.
  4. Enter client name sonarqube for Client ID.
  5. Click on the Next button. Note: The application's FQDN name may be obtained by running kubectl get virtualservice -A
  6. Enter https://{{ application_fqdn }}/oauth2/callback/saml for Valid Redirect URIs.
  7. Click on the Save button.
  8. Go to Keys tab.
  9. Disable Client signature required -> Yes.

Creating Client Scopes

Sonarqube needs to be added in the Client Scopes.

  1. While you are in the smoothglue realm, click on Client Scopes.
  2. Click Create client scope.
  3. Enter Sonarqube for Name.
  4. Select SAML for Protocol, and click on the Save button.
  5. Go to the Mappers tab.
  6. Click on Configure a new mapper -> User Property.
  7. Enter the following information:
    1. Name - Login
    2. Property - username
    3. Leave Friendly Name blank
    4. SAML Attribute Name - login
    5. SAML Attribute NameFormat - Basic
    6. Save
    7. Click Client scope details near the top of the screen.
  8. Click on Add mapper, By configuration, User Property.
  9. Enter the following information:
    1. Name - Name
    2. Property - username
    3. Leave Friendly Name blank
    4. SAML Attribute Name - name
    5. SAML Attribute NameFormat - Basic
    6. Save
  10. Click on Add mapper, By configuration, User Property.
  11. Enter the following information:
    1. Name - Email
    2. Property - email
    3. Leave Friendly Name blank
    4. SAML Attribute Name - email
    5. SAML Attribute NameFormat - Basic
    6. Save
  12. Click on Add mapper, By configuration, Group list.
  13. Enter the following information:
    1. Name - Groups
    2. Group attribute name - groups
    3. Leave Friendly Name blank
    4. SAML Attribute NameFormat - Basic
    5. Single Group Attribute - Enabled
    6. Full group path - Enabled
    7. Save
  14. Go to Clients, and click on the sonarqube client.
  15. Go to the Client Scopes tab.
  16. Click Add client scope.
  17. Enable the Sonarqube client scope.
  18. Click Add -> Default.
  19. Click the kebab icon (3 vertical dots) on the role_list row and click Remove -> Delete.
caution

Failing to remove the role_list Client Scope will cause the SonarQube container to throw the following error when attempting to log in:

com.onelogin.saml2.exception.ValidationError: Found an Attribute element with duplicated Name

SSO Configuration

Retrieve the secured key value from the Keycloak client:

  1. As a Keycloak Admin and within the smoothglue realm, click Realm Settings on the left-hand panel.
  2. Click on the Keys tab.
  3. Click on the Certificate button on the R256 row.

Add the following values to bigbang-secrets.yaml to configure SSO:

addons:
  sonarqube:
    enabled: true
    sso:
      enabled: true
      # The base URL of the sonarqube server
      serverBaseURL: "https://{{sonarqube_url}}"
      # The client ID of the Sonarqube client in Keycloak
      client_id: "sonarqube"
      #  You will find this in Keycloak in Realm Settings > General > Endpoints. Click on SAML 2.0 Identify Provider Metadata to obtain the XML configuration file. Search for the value 'EntityDescriptor > entityID'
      providerid: "https://{{keycloak_url}}/auth/realms/smoothglue"
      # This can be found in the Endpoint SAML metadata as `SingleSignOnService`
      loginUrl: "https://{{keycloak_url}}/auth/realms/smoothglue/protocol/saml"
      # This is the RS256 key copied from Keycloak
      certificate: ""
      # These are set to the SAML attributes defined in Client Scopes
      login: "login"
      name: "name"
      email: "email"
      group: "groups"
info

See How to Configure Big Bang Values for more information on configuring Big Bang applications.

Configure SonarQube SSO Admin Group

SonarQube will automatically create users in its datastore if they do not exist, but it will not automatically create groups. Groups MUST be manually created to have users automatically placed into them at login.

SmoothGlue comes preconfigured with a _structsureAdmins group within Keycloak for assigning users admin privileges across the platform. A System Integrator is responsible for creating the an associated group within SonarQube and assigning the correct permissions to the group.

Login with Admin Credentials

The default admin username is admin and a randomly generated password can be retrieved from the cluster. It is stored in the sonarqube-sonarqube-admin-password Kubernetes secret in the sonarqube namespace.

Create SSO Admin Group

After signing in as the default Admin account:

  1. Click Administration.
  2. Go to Security -> Groups.
  3. Click Create Group.
  4. Name the group /_structsureAdmins

Assign Admin Privileges to SSO Admin Group

After signing in as the default Admin account:

  1. Click Administration.
  2. Go to Security -> Global Permissions.
  3. For the /_structsureAdmins group, assign all of the permissions that the sonar-administrators has.