Setting up SAML SSO with Microsoft Entra ID
To transition your enterprise to SAML SSO with Microsoft Entra ID:
- Verify the user groups of your organizations.
- Follow Step 1 to Step 3 below.
- Terminate the SAML SSO setup.
Step 1: Create the SonarQube Cloud application
- In Microsoft Entra ID, go to Applications > Enterprise applications > All applications.
- Select New application and then Create your own application.
- Fill in the name and select the Integrate any other application you don't find in the gallery option.
- Select Create.
Step 2: Configure the SonarQube Cloud application
1. From the Manage section of the SonarQube Cloud application in Microsoft Entra ID, go to Single sign-on > SAML.
2. In the Basic SAML Configuration section, select Edit, fill in the Identifier and the Reply URL fields as described below, and save.
Identifier and Reply URL fields
| Field | Description |
|---|---|
| Identifier | Copy-paste the SP Identity ID field from the SonarQube Cloud UI. To do so:
|
| Reply URL | Copy-paste the SSO URL field from the SonarQube Cloud UI. Proceed as explained for the SP Identity ID field above. |
3. In the Attributes & Claims section, configure the attributes used by SonarQube Cloud as described below. To add an attribute, select Add new claim.
Attributes
| Attribute used by SonarQube Cloud | Description | Attribute in Microsoft Entra ID |
|---|---|---|
| Login | A unique name to identify the user in SonarQube Cloud. | userprincipalname |
| Name | The full name of the user. | givenname |
| The email of the user. | mail |
4. Select Add a group claim, and configure the group attribute as described below. Once done, the option to add a group will be unavailable and the group attribute will be listed with the other attributes in the Add new claim tab.
Group attribute
The group attribute is used for automatic group synchronization.
| Parameter or option | Value |
|---|---|
| Group Claims | Groups assigned to the application |
| Source attribute | sAMAccountname or Cloud-only group display names |
| Emit group name for cloud-only groups | Selected. |
Microsoft Entra ID SAML tokens have a limit regarding the number of groups a user can belong to (see the description of groups in the Claims in SAML Token table). In such cases, you might need to reduce the number of groups the user is in.
5. From the Manage section of the SonarQube Cloud application in Microsoft Entra ID, go to Users and groups.
6. Select Add user/group to assign groups to the application.
7. From the Manage section of the SonarQube Cloud application in Microsoft Entra ID, go to Properties.
8. Set the Visible to users? option to No. (This is because SonarQube Cloud doesn't support IdP-initiated SSO).
Step 3: Configure SAML SSO in SonarQube Cloud
You must be the administrator of the enterprise in SonarQube Cloud.
Proceed as follows:
- In SonarQube Cloud, retrieve your enterprise.
- Select Administration > SAML Single Sign On (SSO). The SAML SSO page opens.
- On the page, navigate to step 3 of the SAML configuration section.
- In Microsoft Entra ID, from the Manage section of the SonarQube Cloud application, go to Single sign-on > SAML.
- Copy the Login URL value in the Set up <SonarQubeCloudApplication> section to SonarQube Cloud’s Login URL field.
- In the SAML certificates section, download Certificate (Base64) and upload it to SonarQube Cloud’s X.509 Certificate field by selecting the Choose file button.
- In the Attributes & Claims section, select Edit to open the Attributes & Claims page. On this page:
- Copy the Claim name (URL-type value) of the attribute used for Name to the SonarQube Cloud's User Name Attribute.
- Copy the Claim name (URL-type value) of the attribute used for Login to the SonarQube Cloud's User Login Attribute.
- Copy the Claim name (URL-type value) of the attribute used for Email to the SonarQube Cloud's User Email Attribute.
Was this page helpful?
© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.
