SonarQube is an open-source platform used for static code analysis to detect code smells, bugs, and security vulnerabilities. It provides various types of authentication methods through GitLab Authentication, SAML Authentication, LDAP Authentication or Azure Directory Service. Of the options, Azure Active Directory (AD) is typically the preferred choice for a Role Based Access Control (RBAC) implementation. In this blog, we will provide the steps needed to integrate SonarQube and Azure AD.
It is always essential to configure RBAC across applications on any infrastructure. If the authentication mechanism doesn’t have a central framework with features like policies and controls, it becomes difficult to maintain separate sets of users for each application. In a conventional approach, implementing an authentication mechanism like AD and integrating it with the application requires deep integration and administration knowledge. Whereas in an Azure environment, Azure AD, a cost-effective option, can be configured easily to implement a scalable and redundant system without worrying about the underlaying infrastructure.
IT / application administrators can integrate a common authentication framework across the application stack and infrastructure to avoid the administrative burden and leverage benefits from cloudified services. Also, leveraging a common framework offers an ease of maintenance and management of failovers and scalability of these critical services that can impact business operations if they go down.
The four main steps required to configure SonarQube and Azure AD integration are as follows:
- Azure Directory Service plugin installation
- Configuration of Azure Active Directory Services
- Configuration of SonarQube with Azure Domain Services plugin
- Validation of Azure DS Plugin Configuration
Let’s go through each of these steps in detail:
Step 1 : Azure DS plugin installation
Login to SonarQube as an administrator, download Azure AD plugin from the marketplace and install it. A SonarQube service restart is essential to enable this plugin. Once the service restarts, you can configure the Azure DS plugin under Administration – General Settings – Azure Active Directory.
Step 2 : Configuration of Azure Active Directory Services
This step involves a few sub-tasks to complete the configuration and other associated settings. First, register the application from Azure AD – App Registrations by giving an appropriate name for the application registration. Then, complete the following important configuration steps from Azure console:
- Provide SonarQube Application Client ID & Directory Tenant ID values while configuring AD plug-in.
- The redirect URL (marked with yellow outline in the screenshot below) should be configured with a correct URL, e.g. https://microsoft.com/oauth2/callback/add. Here /oauth2/callback/add is a must in addition to the application URL. The redirect URL must have a https or loopback address, a non-https address will throw exceptions.
- Create certificates and secrets for the specific application and keep a note of the value to be entered in the sonarqube-AzureAD plugin. It is important to note the value as it can’t be read from Azure console.
- Select support account types. If you choose multi-tenant and switch back to single tenant, the application may malfunction. In such a case, it is recommended to create application registration again.
- Select “Yes” for User Assignment required to ensure unassigned AD users can’t login to SonarQube and see the SonarQube basic information.
- Add the Azure Directory users who should have access to the SonarQube application.
Step 3 : Configuration of SonarQube with Azure Domain Services plugin
Log in as a SonarQube administrator and configure the Azure AD plugin from Administration – Configuration – Azure Active Directory.
The key aspects to ensure are:
- Authentication must be Enabled.
- Client ID value must be provided – you can get the values during the application registration in the Azure portal.
- Client Secrets value must be provided, this value can be noted while creating secrets and certificates from Azure Console.
- Multi-tenant Azure Application should not be enabled unless necessary, as that will allow SonarQube Application access to users from multiple domains.
- Provide a Tenant ID, the value while registering the application with Azure AD portal.
- Set Directory Location of Azure AD to global, and according to your requirements.
- Group Synchronization must be enabled.
- Force User Authentication must be enabled from – SonarQube Administration – Configuration - General Settings – Security.
- Ensure that the server base URL (accessed from General settings - General) is the same as the URL through which you are accessing SonarQube application.
Step 4 : Validation of Azure DS Plugin Configuration
Login to SonarQube from the URL at which the application is configured. Ensure that the URL is secure, i.e. with https else the Azure AD login will not work.
If the URL is properly configured, the “Log in with Microsoft” option will appear, where users can login with Azure AD credentials.
And that’s it! You have set up SonarQube with Azure AD authentication.
Some of the key validations to be carried out during and after the set-up process are:
- Ensure that other users which aren’t part of the domain can’t log in.
- Verify SonarQube access with AD accounts that don’t have privileges with the local group.
- Cross check project level access against the users created with Azure Directory Services.
Administrators should ensure that all these steps are followed during the setup process for successful integration.
We hope this quick reference on how SonarQube can be integrated with Azure AD for user authentication is helpful. SonarQube & Azure AD Integration is a viable option when it comes to setting up reliable and secure RBAC mechanisms. Contact us, if you would like to implement a DevSecOps tool stack or improve the authentication mechanisms for your internal or client facing applications.