SonarLint VS connected experience authentication issues

[Mike Barry]

Hello,

I just wanted to report some feedback for the connected experience in sonarlint VS 2.0-RC1

We use LDAP with active directory and single signon on sonarqube 5.3. (sonar.forceAuthentication=true) When connecting to the sonarqube server single sign on did not work. The server returned a 401. I was disappointed, but then I just decided to use a token instead. This did not work either as I am required to provide a password if I provide a username. In the end I was forced to input my AD credentials which, I am assuming, are then cached somewhere. 

I would request the following enhancements:

SonarLint connected should allow logins using tokens

SonarLint should properly authenticate with Negotiate automatically if the server supports it

Thanks,

Mike

[nicolas...@sonarsource.com]

Hi Mike,

Side question: how do your SonarQube Scanners connect to your SonarQube server as of today ? Scanners don't support SSO/NTLM either, so from a SonarLint perspective I think this thread should really focus on limitations/shortcomings with token authentication. SSO/NTLM being a wider topic with implications on the Scanner side too.

Best regards,

Nicolas

[Mike Barry]

Hi!

We use tokens for sonarqube scanners, but currently we only run them as part of our gated\scheduled builds from out build servers. That means we only have 1 token for 1 account. With sonarlint I'm going to have to scale this to 100+ developers. In 5.3 that means I, as the sonar admin, would have to create a token for each user and email them out. 5.4 at least the tokens are self service, but that's a bunch of manual steps my devs would need to do when the "don't make me think" solution is: this should just work. 

I noticed you do use the native credential storage in windows (bravo) however because of basic authentication you still need to decrypt the securestring (sad panda). If SSL isn't in use it's even worse as this is plaintext over the wire. If supporting tokens is the solution to this issue it would be ideal if typing in domain credentials caused a new token to be requested behind the scenes and that would be stored instead. (This would also make the change independent of domain password changes which would be ideal from my perspective.)

Mike

[Dinesh Bolkensteyn]

Hi Mike,

Thanks for this feedback.

We've created a ticket to be fixed in 2.0 to support tokens, which should be quite straightfoward:

  https://jira.sonarsource.com/browse/SVS-49

  (and thank you for your pull request! :-) https://github.com/SonarSource-VisualStudio/sonarlint-visualstudio/pull/25/files - looks like you really wanted to be sure it'd be fixed in this version :p)

However supporting single sign on is indeed more complex and will come in a later version:

  https://jira.sonarsource.com/browse/SVS-42

Dinesh Bolkensteyn
www.SonarSource.com
twitter.com/DBolkensteyn

--
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/5bAqcK-no3w/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/5037a7e7-5186-40ca-b303-afa4bdb85ca0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.