With Keycloak
Setting up SAML authentication with Keycloak in your SonarQube Community Build instance.
To integrate Keycloak (the identity provider) with SonarQube (the service provider), both sides need to be configured, first in Keycloak, then in SonarQube. In addition, you may want to set up security features.
With SonarQube Server, in addition to the SAML setup, you can configure SCIM to automatically provision users and groups to SonarQube. For more information, see Feature comparison table.
Set up Keycloak
Before starting the setup in Keycloak, make sure:
You have created in Keycloak a realm that you want to use with SonarQube.
The SonarQube Community Build URL is correctly set in your SonarQube instance. See Server base URL.
Create a new SAML client
Sign in to your Keycloak administration console.
Select the realm to be used to interact with SonarQube.
In the left navigation panel, select Clients.
[A]: The current realm must be the realm you want to use to interact with SonarQube.
Select the Create client button.
In General settings, set the following parameters and click Next.
Client type: SAML
Client ID: Identifier of the SonarQube application in Keycloak. Any name can be used but it must not contain whitespace, e.g. sonarqube.
In Login settings, set the following parameter:
Valid redirect URIs: Must be in the format:
<SonarQubeBaseURL>/oauth2/callback/samlExample:https://sonarqube.mycompany.com/oauth2/callback/saml
Select Save. The client is created.
The client signature is enabled by default. Disable this setting if you are not using advanced security features (see the section below Set up security features): In the Keys tab of the SAML client used for SonarQube, disable Client signature required.
Set up mappers
In the left navigation panel, select the Clients menu. Then select the client you created earlier.
Select Client scopes, then <nameOfYourClient>-dedicated.
Create different mappers as described in the table below. To create a mapper, select Configure a new mapper or Add mapper > By configuration.
Login
User Property
Login
username
Note: This value should not contain any special characters other than ., -, _, and @, to meet SonarQube restrictions.
login
x
Name
User Property
Name
username or another attribute that you previously specified for the users.)
name
x
User Property
Email
email
email
If you use Just-in-Time provisioning with the group synchronization feature:
Verify the user groups in SonarQube.
Select Add mapper > By Configuration and add a groups mapper by using one of the two options described below.
If you rely on a list of groups defined in Groups.
Group list
Groups
groups
ON
OFF
If you rely on a list of roles defined in Roles of the realm, not in Roles of the client.
Role list
Groups
groups
ON
n/a
For more information about JIT provisioning, see Just-in-Time provisioning.
Set up SonarQube Community Build
Open the IdP metadata file from Keycloak
Sign in to your Keycloak administration console.
Select the realm you use to interact with SonarQube.
In the left navigation panel, select Realm settings.
At the bottom of the General tab, you should see a SAML 2.0 Identity Provider Metadata endpoint. Select the link to open a new tab with the metadata or right-click to download it.
Configure SonarQube
In your SonarQube instance, go to Administration > Configuration > General Settings > Authentication> SAML.
Select Create Configuration.
Fill in the fields as explained in the table below.
Application ID
The value of the Client ID you set in Keycloak.
Example: sonarqube
Provider name
Name of the Identity Provider displayed on the SonarQube login page when SAML authentication is active.
Provider ID
The value of the EntityDescriptor > entityID attribute in the IdP metadata file. This can be found in Keycloak in Your realm > Realm settings > General > SAML 2.0 Identity Provider Metadata.
Example: http://keycloak:8080/realms/sonarqube
SAML login URL
The value of SingleSignOnService > Location attribute in the IdP metadata file. This can be found in Keycloak in Your realm > Realm settings > General > SAML 2.0 Identity Provider Metadata.
Example: http://<SonarQubeBaseUrl>/realms/SonarQube2025/protocol/saml
Identity provider certificate
Copy-paste the realm’s certificate. It can be found in Keycloak:
In Your realm > Realm settings > General > SAML 2.0 Identity Provider Metadata.
or in Your realm > Realm Settings > Keys > RS256 and select Certificate.
SAML user login attribute
The SAML attribute name configured for the login attribute.
Example: login
SAML user name attribute
The SAML attribute name configured for the name attribute.
Example: name
SAML user email attribute
Optional. The SAML attribute name configured for the email attribute.
Example: email
SAML group attribute
Optional. The SAML attribute name configured for the groups attribute if you use the Just-in-Time provisioning group synchronization feature1.
Example: groups
1) See Just-in-Time provisioning.
Set up security features
To improve security, you can enable the encryption of SAML assertions sent by Keycloak and the signing of SAML requests sent by SonarQube. Once you have registered the SonarQube in Keycloak, you can set up the following security features:
The encryption of SAML assertions emitted by Keycloak for SonarQube.
The signing of the SAML requests from SonarQube to Keycloak.
To enable the encryption of SAML assertions or the signing of SAML requests, you need to provide two things (the same key pair is used for both security features) :
Service provider private key: PKCS8-stored private key.
Service provider certificate: X.509 certificate.
Configure the security features in Keycloak
You can enable the signing of SAML requests and/or the encryption of SAML assertions. To enalbe the assertion encryption, follow the steps below. To enable the signed requests, nothing needs to be done in this step.
To enable in Keycloak the encrytpion of SAML assertions:
In Keycloak, go to the Clients section and select the SAML client used for SonarQube.
In the Keys tab of the SAML client, disable Signing key config if not already done and enable Encrypt assertions in Encryption keys config. A dialog opens to generate a paired private key and certificate.
Select the Generate button. A pop-up indicates that the key pair and certificate have been successfully generated (if it's not the case, make sure pop-ups are not blocked on your browser): the
private.keyfile has been downloaded to your local folder.Select Confirm. The dialog closes.
Convert the private key to PKCS#8 format
You have to convert the Keycloak private.key into a pkcs8.key, which is SonarQube compatible. To do so, use a shell script based on the example below. In this example, the private.key downloaded from Keycloak is located in the same folder as where the script is run. Modify the script as needed.
The resulting file should look like this:
Configure the security features in SonarQube
To configure both the SAML request signing and the SAML assertion encryption features
In Keycloak, retrieve the SAML client used for SonarQube and go to the Keys tab.
Copy the certificate value in Encryption keys config.
In SonarQube, go to Administration > Configuration > General Settings > Authentication > SAML.
In SAML Configuration > SAML, select Edit. The Edit SAML configuration dialog opens.
In Service provider certificate, paste the certificate value copied from Keycloak.
Open your
pkcs8.keyfile and copy its content. Remember thatpkcs8.keycontents are all on one line as shown in 2. Convert the private key to PKCS#8 format above.In SonarQube, paste this value in Service provider private key.
To enable the signing of the SAML requests, enable the Sign requests toggle.
Select Save configuration.
Select Test Configuration to verify.
To configure the SAML assertion encryption feature only
Follow the steps above, but ensure you the Sign requests toggle is disabled.
Both Service provider private key and Service provider certificate should be set (should not be not empty)
Related pages
Last updated
Was this helpful?