This plugin enables users to automatically be sign up and authenticated on a SonarQube server via an OpenID Connect identity provider like Keycloak. Optionally the groups a user is associated in SonarQube can be synchronized with the provider (via a custom userinfo claim retrieved from the ID token).
Server base URL
property must be set either by setting the
URL from SonarQube administration page (General -> Server base URL) or
through setting sonar.core.serverBaseURL
key value in the sonar.properties
file.
In this URL no trailing slash is allowed! Otherwise the redirects from the identity provider back to the SonarQube server are not created correctly.
If a network proxy is used with SonarQube (via http[s].proxy[Host|Port]
properties in the sonar.properties
) and the host name of the identity provider is not resolvable by this proxy then the IdP's host name must be excluded from being resolved by the proxy. This is done by defining the property http.nonProxyHosts
in the sonar.properties
.
Otherwise the plugin won't be able to send the token request to the IdP.
- Install the plugin from SonarQube marketplace via "Administration > Marketplace". Or download the plugin jar from GitHub Releases and put it into the
SONARQUBE_HOME/extensions/plugins/
directory - Restart the SonarQube server
-
In OpenID Connect identity provider:
-
Create a client with access type 'public' or 'confidential' (in the latter case the corresponding client secret must be set in the plugin configuration) and white-list the redirect URI for the SonarQube server
https://<sonarqube base>/oauth2/callback/oidc
Some IdP's (e.g. Keycloak) are supporting wildcards in the redirect URI white-list. Otherwise the absolute redirect URI must be white-listed.
-
For synchronizing SonarQube groups create a mapper which adds group names to a custom userinfo claim in the ID token (the claim's name is used in the plugin configuration later on)
-
Retrieve the provider's endpoint configuration as JSON text via the providers
/.well-known/openid-configuration
URL (needed for plugin configuration)
-
-
In SonarQube administration (General-> Security -> OpenID Connect):
- SonarQube 6.7.1
- Keycloak 3.4.2.Final
- JetBrains Hub 2017.4
- Okta 2018.25