circle-exclamation
We've updated our static IP addresses. GitHub Enterprise users should update their allowlists.
chevron-right
search
Start FreeLogin

Step 2: Configure SSO

The second step in configuring SSO for your SonarQube Cloud enterprise varies slightly, depending on your identity provider.

You must be the administrator of the enterprise in SonarQube Cloud.

circle-info

The SSO setup assistant is a recent addition. If you previously configured SSO using the older method, your setup remains unaffected. However, to leverage the benefits of the new SSO setup assistant, you may delete your existing configuration and create a new one.

1

hashtag
Start the SSO setup assistant

  1. In SonarQube Cloud, retrieve your enterprise. See Managing your enterprise for more details.

  2. Select Administration > SSO & Provisioning. The SSO & Provisioning page opens.

  3. Select Setup Configuration and then Get Started in the bottom right corner. The Configure Your Connection page opens.

Select Single Sign-On to start the SSO setup.

  1. Select Single Sign-On. The setup assistant opens.

  2. Select Custom SAML and select Next. The first step 1. Create Application of the SAML SSO setup assistant opens.

The first step of the SonarQube Cloud's SAML SSO setup assistant is Create Application.
2

hashtag
Create and set up the SonarQube Cloud application in your identity provider

This step depends on your identity provider.

chevron-rightOktahashtag

  1. In Okta, under Applications, select Create App Integration.

Select SAML 2.0

  1. In the dialog, select SAML 2.0.

  2. Select Next.

  3. Fill in the fields and options as described in the table below.

Step
Field or option
Description

General settings

App name

SonarQube Cloud application name.

Example: SonarQube Cloud.

App visibility: Do not display application icon to users

Select this option. (This is because SonarQube Cloud doesn’t support IdP-initiated SSO).

SAML settings

Single sign on URL

Copy-paste the Single Sign-On URL field value from the setup assistant.

Audience URI (SP Entity ID)

Copy-paste the Service Provider Identity ID field value from the setup assistant.

Response

Select Signed.

Assertion Signature

Select Signed.

Signature Algorithm

Select RSA-SHA256.

For assertion encryption

Assertion Encryption

If you want to enable assertion encryption, select Encrypted and fill in the fields below.

Encryption Algorithm

Select AES256-GCM for high security.

Key Transport Algorithm

Select RSA-OAEP.

Encryption Certificate

The public X.509 certificate used by the identity provider to authenticate SAML messages.

triangle-exclamation

Only a single sign-on URL is allowed. Attempting to configure URLs in Other Requestable SSO URLs will lead to errors in your SSO setup.

  1. In the Feedback dialog, select Finish to confirm the creation of the SonarQube Cloud application.

  2. In the setup assistant, select Next to go to the step 2. Configure Connection.

hashtag
2. Configure Connection

  1. In Okta’s SonarQube Cloud application, go to Sign On > Settings > Sign on methods. Copy the value of the Metadata URL field

Select the Copy tool to copy the Metadata URL.

  1. Paste the copied value to the Metadata URL field in the Automatic tab of the setup assistant page.

Open the Automatic tab.

  1. In the assistant, select Create Connection and Proceed. SonarQube Cloud is trying to connect to your Identity Provider. If the connection is established, the assistant moves to step 3. Attribute Mapping.

hashtag
3. Attribute Mapping

  1. In Okta’s SonarQube Cloud application, go to Sign On.

  2. Go down to the Attribute statements section and open the Show legacy configuration panel.

Go down to the Attributes statements section and select the link in Learn more.

  1. Select Edit.

  2. In Profile attribute statements, add the attributes for Name, Login, and Email, and in Group Attribute Statements, add the attribute for Groups, as described in the table below.

Name
Name format
Value or Filter

Name

Copy the attribute's Mapping value from the assistant (use the Copy tool).

Unspecified

user.firstName

Login

Copy the attribute's Mapping value from the assistant (use the Copy tool).

Unspecified

user.login

Email

Copy the attribute's Mapping value from the assistant (use the Copy tool).

Unspecified

user.email

Groups

Copy the attribute's Mapping value from the assistant (use the Copy tool).

Unspecified

Select Matches regex and set the value to .*

Select Save.

  1. Select Save.

  2. In the SonarQube Cloud's setup assistant, select Next to go to the step 4. Test SSO. See Test the SSO connection.

chevron-rightMicrosoft Entra IDhashtag
circle-exclamation

  • Group synchronization doesn’t work with Microsoft Entra ID’s nested groups.

  • Microsoft Entra ID’s SAML tokens have a limit regarding the number of groups a user can belong to (see the description of groups in the Claims in SAML Tokenarrow-up-right table). In such cases, you might need to reduce the number of groups the user is in.

Proceed as follows:

  1. In Microsoft Entra ID, go to Applications > Enterprise applications > All applications.

  2. Select New application and then Create your own application.

triangle-exclamation

Make sure you choose Create your own application. Do not select the non-affiliated Sonarqube Microsoft Entra Gallery app, which contains configurations that may prevent proper integration.

  1. Fill in the name and select the Integrate any other application you don’t find in the gallery option.

  2. Select Create.

  3. From the Manage section of the SonarQube Cloud application, go to Single sign-on > SAML.

  4. In the Basic SAML Configuration section, select Edit, fill in the Identifier and the Reply URL fields as described in the table below, and save.

Field
Description

Identifier

Copy-paste the Service Provider Identity ID field value from the setup assistant.

Reply URL

Copy-paste the Single Sign-On URL field value from the setup assistant.

triangle-exclamation

Only a single reply URL is allowed. Attempting to configure multiple reply URLs will lead to errors in your SSO setup.

  1. In the setup assistant, select Next to go to the step 2. Configure Connection.

hashtag
2. Configure Connection

Open the Automatic tab.

  1. In your SonarQube Cloud application in Microsoft Entra ID, go to SAML Certificates. Copy the value of the App Federation Metadata Url field and paste it into the Metadata URL field in the Automatic tab of the setup assistant page.

  2. In the assistant, select Create Connection and Proceed. SonarQube Cloud is trying to connect to your Identity Provider. If the connection is established, the assistant moves to step 3. Attribute Mapping.

hashtag
3. Attribute Mapping

  1. In Microsoft Entra ID, go to he Attributes & Claims section of your SonarQube Cloud application.

  2. Remove the namespaced attributes added by Microsoft Entra ID and listed in the Additional claims section.

  3. Select Add new claim and define a claim for the Email attribute. This attribute is used to manage the email of the user.

    • In Name, paste the name copied from the Email's Mapping value in SonarQube Cloud's setup assistant.

    • In Source attribute, select user.mail .

In Name, paste the name copied from the Mapping value in SonarQube Cloud's setup assistant.

The figure below shows the setup assistant of SonarQube Cloud. Use the copy tool to copy the Mapping value.

Use the copy tool to copy-paste the Mapping value of each attribute to your identity provider.

  1. The same way, define a claim for the Login attribute. This attribute is the unique name used to identify the user in SonarQube Cloud. In Source attribute, select user.userprincipalname.

  2. The same way, define a claim for the Name attribute. This attribute is the full name of the user. In Source attribute, select user.givenname or your own user name attribute.

circle-info

The default list of attributes includes user.givenname (first name) and user.surname (last name). If you prefer to show the full name, you must create a new claim in MS Entra ID.

  1. Select Add a group claim to define the Groups attribute. This attribute is used for automatic group synchronization. Set the parameters as follows:

    • Which groups associated with the user should be returned in the claim?: Groups assigned to the application

    • Source attribute: Cloud-only group display names or (if using on-prem Active Directory for group synchronisation) sAMAccountName

    • Emit group name for cloud-only groups option: If you use sAMAccountName, select the option. Otherwise, ignore the option.

The figure below shows a group attribute definition example.

Select the Groups assigned to the application option.

Save. The option to add a group will be unavailable and the group attribute will be listed with the other attributes in the Additional claims section as illustrated below.

Check that you have correctly defined the attributes listed in Additional claims.

  1. In the setup assistant, select Next to go to the step 4. Test SSO. See Test the SSO connection.

chevron-rightJumpCloudhashtag

  1. In JumpCloud, go to SSO Applications and select + Add New Application.

Select Add New Application to create your SonarQube Cloud application in JumpCloud.

  1. Select Custom Application and select Next.

To create your SonarQube Cloud app in JumpCloud, select Custom Application.

  1. Click Next.

  2. Select Manage Single Sign-On (SSO) and Configure SSO with SAML, and select Next.

Select Manage Single Sign-On (SSO) and Configure SSO with SAML.

  1. Enter a display label and select Save Application. The application is created.

Enter a display lable and select the Save Application button.

  1. Select Configure Application.

  2. In the SSO tab, in the Configuration Settings section, set the parameters as explained in the table below.

Set the SP Entity ID and Default URL fields with the SSO URL value from SonarQube Cloud.
Field
Description

IdP Entity ID

Don't change the default value.

SP Entity ID

Copy-paste the Single Sign-On URL field value from the setup assistant.

ACS URL

Copy-paste the Single Sign-On URL field value from the setup assistant to Default URL.

triangle-exclamation

Only a single ACS URL is allowed. Attempting to configure multiple ACS URLs will lead to errors in your SSO setup.

  1. In JumpCloud Metadata in the same section, select the Copy Metadata URL button.

Select the Copy Metadata URL button.

  1. In SonarQube Cloud's SAML SSO setup assistant, go the step 2. Configure Connection and paste the copied value to Metadata URL in the Automatic tab.

Paste the value copied from JumpCloud to Metadata URL.

  1. Select Create Connection and then Proceed.

  2. In SonarQube Cloud's SAML SSO setup assistant, go the step 3. Attribute Mapping.

  3. In the SSO tab of the JumpCloud's application, go to the Attributes > User Attributes section and add three new attributes with the values described in the table below.

Service Provider Attribute Name
JumpCloud Atttribute Name

Name

Paste the name copied from the Mapping value in SonarQube Cloud's setup assistant.

username

Login

Paste the name copied from the Mapping value in SonarQube Cloud's setup assistant.

displayname

Email

Paste the name copied from the Mapping value in SonarQube Cloud's setup assistant.

email

  1. Under the Constant Attributes section, select the Include Group Attribute option. Copy the group attribute name from the assistant and paste it into Groups Attribute Name.

Add and configure user attributes and a group attribute.

  1. Select Save.

  2. In SonarQube Cloud's SAML SSO setup assistant, select Next to go to step 4. Test SSO. See Test the SSO connection below.

chevron-rightOther identity providershashtag

  1. Create the SonarQube Cloud application in your identity provider.

  2. Copy the Service Provider Identity ID field value from the setup assistant and paste it into the corresponding field in your identity provider.

  3. Copy the Single Sign-On URL field value from the setup assistant and paste it into the corresponding field in your identity provider.

triangle-exclamation

Only a single sign-on URL is allowed. Attempting to configure multiple sign-on URLs in your identity provider will lead to errors in your SSO setup.

  1. In SonarQube Cloud's SSO setup assistant, select Next to go to the step 2. Configure Connection.

The first step of the SonarQube Cloud's SAML SSO setup assistant is Create Application.

hashtag
2. Configure Connection

The operation is different depending on whether your identity provider supports the SAML metadata URL field (URL used by SonarQube Cloud to access metadata information) or not.

Metadata URL supported

  1. In your SonarQube Cloud application in your identity provider, copy the value of the field corresponding to the SAML metadata URL .

  2. Paste it into the Metadata URL field in the Automatic tab of the setup assistant page.

Open the Automatic tab.

  1. In the assistant, select Create Connection and Proceed. SonarQube Cloud is trying to connect to your Identity Provider. If the connection is established, the assistant moves to step 3. Attribute Mapping.

Metadata URL not supported

  1. In the assistant, select the Manual tab.

Open the Manual tab.

  1. In your identity provider, copy the value of the SSO login URL field and paste it into Single Sign-On Login URL in the assistant.

  2. In your identity provider, download the certificate and upload it to the assistant.

  3. In the assistant, select Create Connection and Proceed. SonarQube Cloud is trying to connect to your Identity Provider. If the connection is established, the assistant moves to step 3. Attribute Mapping.

hashtag
3. Attribute Mapping

  1. In your identity provider, create the attributes for Name, Login, Email, and Groups (the group attribute is used for automatic group synchronization). To do so, for each attribute, copy the attribute's Mapping value from the assistant (use the Copy tool) and paste it into the attribute’s name field in your identity provider.

Select Next to go to the next step.

  1. In the assistant, select Next to go to step 4. Test SSO. See Test the SSO connection.

3

hashtag
Test the SSO connection

  1. Before being able to test the connection, you may have to assign at least one user to your SonarQube Cloud application in your identity provider.

  2. In the SonarQube Cloud's setup assistant, select the Test Connection button. The test is started and the results are displayed on the page as illustrated below.

Before you finish step 2 configuring your connection using SonarQube Cloud’s setup assistant, test and enable your configuration.

  1. If the test was successful, select Enable Connection and Proceed.

  2. If you want to set up SCIM provisioning, select Provisioning to open the SCIM provisioning setup assistant and follow the setup instructions from Setting up SCIM provisioning. Otherwise, go to the next step below to enable the connection.

4

hashtag
Enable the SSO connection

Once you have enabled the connection to your identity provider, you users will be able to authenticate to SonarQube Cloud through SSO.

To enable the connection to your identity provider:

  1. In SonarQube Cloud's Configure Your Connection page, select Enable Connection. A confirmation dialog opens.

To enable your SSO connection, select the Enable Connection button.

  1. Select Proceed.

hashtag
Related pages

Step 1: Verify the user groups Step 3: Invite users to sign in Step 4: Terminate SSO setup Editing SSO configuration Deleting SSO configuration

PreviousStep 1: Verify the user groupsNextStep 3: Invite users to sign in

Last updated

Was this helpful?