Start Free
Latest | Instance administration | Authentication and provisioning | GitLab | Managing JIT provisioning

Managing GitLab Just-in-Time provisioning mode

On this page

Setting up the group synchronization Setting the Allowed groups Blocking/Authorizing the sign-up of new users Related pages

Once you’ve set up the GitLab authentication and provisioning with the Just-in-Time (JIT) provisioning mode (default mode), you can set or change the JIT provisioning mode options.

You need the global Administer System permission in SonarQube to perform this setup.

Setting up the group synchronization

With the JIT provisioning mode, you can enable group synchronization. The group synchronization requires that you manually create the user groups in SonarQube: see below.

Enabling/disabling the group synchronization (Community Edition)
  1. Go to Administration > Configuration > General Settings > Authentication > GitLab.
  2. Select or unselect the Synchronize user groups option.
  3. Save.
Enabling/disabling the group synchronization (from the Developer Edition)
  1. Go to Administration > Configuration > General Settings > Authentication > GitLab.
  2. On the far right of App ID, select Edit
  3. In the dialog, select or unselect the Synchronize user groups option.
  4. Save.
Creating the user groups in SonarQube

To allow group synchronization, you must create in SonarQube a group for each GitLab group and subgroup you want to synchronize: see Managing user groups.

You must name the SonarQube group according to the URL of the GitLab group or subgroup. Be aware that that name check is case-sensitive.

Examples: 

  • If the URL of the GitLab group is https://gitlab.com/my-gitlab-group, the name of the SonarQube group mus be my-gitlab-group.
  • If the URL of the GitLab group is https://gitlab.com/my-gitlab-group/sub-group, the name of the SonarQube group must be my-gitlab-group/sub-group.

Setting the Allowed groups

Starting from the Developer Edition, you can restrict access to SonarQube by defining Allowed groups. An Allowed group is a GitLab root group (a group with no parent): only members of the Allowed group and all its subgroups can authenticate to SonarQube.

To set the Allowed groups:

  1. Go to Administration > Configuration > General Settings > Authentication > GitLab.
  2. In the Provisioning > Just-in-Time provisioning > Allowed groups, enter the root group slug as it appears in the GitLab URL. For instance, if the first Allowed group URL is https://gitlab.com/my-root-group, then enter my-root-group. A new text box is added underneath.
  3. Enter the second Allowed group slug, etc.

Blocking/Authorizing the sign-up of new users

You can block the sign up of new users with SonarQube. This may be useful if you want to manage the user provisioning through an API.

To block or authorize the sign-up of new users with SonarQube:

Community Edition
  1. Go to Administration > Configuration > General Settings > Authentication > GitLab.
  2. Unselect or select the Allow new users to sign up option.
  3. Save.
From the Developer Edition
  1. Go to Administration > Configuration > General Settings > Authentication > GitLab.
  2. In the Provisioning > Just-in-Time provisioning section, unselect or select Allow users to sign up.

Was this page helpful?

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License