-
Notifications
You must be signed in to change notification settings - Fork 44
Group Sync
As an advanced configuration option, you can sync group membership in the Azure Active Directory with SonarQube. This feature was introduced in version 1.1 RC1 of the plugin.
This feature works by matching the names of the Active Directory groups to which the logged in user belongs with those in SonarQube and adjusting the membership on login.
Indirect group membership (user is in a group that is a member of a group) support was added in version 1.2.0 of the plugin.
In plugin version 1, users with a large number of group memberships (>30) or with deep transitive membership structures may fail to sync properly. This limitation should be gone as of version 2 of the plugin.
Starting with version 1.3.0 of the plugin, there are two methods available to sync groups: the default user "impersonation" method and the "client credentials" method. Each method has advantages and disadvantages, explained below. You can switch methods after setup, so if you are unsure, try using the default method first.
This method is the default sync method in the plugin. It uses the authentication of the user who signed in to access the Azure AD and see what groups they have been assigned. It is called "impersonation" because the plugin pretends to be the user who has logged in.
Advantages:
- Access to Azure AD is limited to what the user themselves can see.
- Works with multi-tenant setups.
Disadvantages:
- Will not work well with guest users in the AD in more restricted setups.
- Some orgs may not like the application using access of highly-privileged users.
This method uses the application's own access to check a user's group membership. The access is restricted to read-only for further security.
Advantages:
- Works for users with restricted guest accounts.
Disadvantages:
- Requires giving the application/plugin access to read the entire Azure AD.
- Does not work with multi-tenant setups.
Except for the permission selected, the setup process is the same for both methods. If you want to change the method, just follow the instructions below as if you were setting sync up again.
Note: While the below steps were current when written, the Azure Portal changes frequently. If things look different to you, you can reference the official documentation. Multiple permissions may also work for accessing the needed information. While this document references the lowest-priviledged permission at time of writing, this may change. You can refer to the permissions list to see what other permissions will work.
-
To begin, sign into the Azure Management Portal. (If you are using one of the "national cloud" Azure instances, log in using the correct portal URL for your country.)
-
Open the Azure Active Directory blade from the shortcut on the left, or if the shortcut is missing, search from the top of the page.
-
On the sidebar, under the Manage category, choose
App registrationsand then select the application you registered for SonarQube. -
From the sidebar, click on
API permissionsand then select theAdd a permissionbutton. -
From the flyout, select "Microsoft Graph" and:
-
"Impersonation" Method: Choose "Delegated permissions". In the permission search box, enter "User.Read" and check that permission. Once checked, select
Add permissionsto add the permission. -
"Client Credentials" Method: choose "Application permissions". In the permission search box, enter "Directory.Read.All" and check that permission. Once checked, select
Add permissionsto add the permission.
-
-
Once back in the "Configured permissions" list, click on the
Grant admin consentbutton to allow the permission to be used. This will grant the permissions that you selected and allow the plugin to read the user's groups. This step must be done or group sync will not work.
-
Log into your SonarQube install with an account that has administrative permission.
-
Click on the
Administrationheader at the top, then select theAzure Active Directorytab from the general settings area. -
Toggle the setting labeled
Enable Groups Synchronizationto on/enabled to activate the plugin. -
If you are using the "Client Credentials" Method, toggle the advanced setting
Enable Client Credential Flowto on/enabled. If you are using the "Impersonation" method, make sure the setting is disabled.
This is a very easy process. All you need to do is create a security group in SonarQube with the exact same name as what you have set up in your Active Directory.
NOTE: The name of the group in SonarQube must match your Azure AD group name exactly or the sync will not work.
Once a user logs into your SonarQube install, their group memberships will be synced with Azure AD. They will be added to any matching groups in SonarQube and removed from any SonarQube groups that do not match their AAD membership.