# Setup of security features
Once you have registered SonarQube Server in Microsoft Entra ID (see [setup-in-entra-id](https://docs.sonarsource.com/sonarqube-community-build/instance-administration/authentication/saml/ms-entra-id/setup-in-entra-id "mention")), you can set up the following security features:
* The encryption of SAML assertions emitted by Microsoft Entra ID for SonarQube Community Build. For more information, see [SAML token encryption in Entra ID](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/howto-saml-token-encryption?tabs=azure-portal).
* The signing of the SAML requests from SonarQube Community Build to Entra ID. For more information, see [Enforce signed SAML authentication requests](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/howto-enforce-signed-saml-authentication).
{% hint style="info" %}
The same key pair is used for both security features (encryption and signing).
{% endhint %}
## Step 1: Generate the asymmetric key pair and certificate
Generate the asymmetric key pair to use for encryption (PKCS8). The public key should be stored in an X.509 certificate file in `.cer` format. You can copy the contents of the certificate file to a text editor and save it as a `.cer` file. The certificate file should contain only the public key, not the private key.
## Step 2: Configure the security feature(s) in Microsoft Entra ID To enable the encryption of SAML assertions
Add the certificate to the Microsoft Entra ID application you created for SonarQube Community Build:
1. Go to **Identity** > **Applications** > **Enterprise applications** > **All applications** and select the application for SonarQube Community Build.
2. On the application’s page, select **Token encryption**.
3. On the Token encryption page, select **Import Certificate** to import the `.cer` file that contains your public X.509 certificate.
4. Once the certificate is imported, activate encryption by selecting the three dots next to the thumbprint status and then selecting **Activate token encryption**.
5\. Select **Yes** to confirm activation of the token encryption certificate.
6\. Confirm that the SAML assertions emitted for the application are encrypted.
If you use encryption, enforce response signature
1. In Microsoft Entra ID, go to **Identity** > **Applications** > **Enterprise applications** > **All applications** and select the application for SonarQube Community Build.
2. On the application’s page, select **Single sign-on**.
3. In **SAML Certificates** > **Token signing certificates**, select **Edit**. The **SAML Signing Certificate** dialog opens.
4. In **Signing option**, enforce the response signature. It means, select either the **Sign SAML Response** or **Sign SAML response and assertion** option.
5. Save.
To enable the signing verification
1. In Microsoft Entra ID, go to **Identity** > **Applications** > **Enterprise applications** > **All applications** and select the application for SonarQube Community Build.
2. On the application’s page, select **Single sign-on**.
3. In **SAML Certificates** > **Verification certificates**, select **Edit**.
4. Go to **Identity** > **Applications** > **Enterprise applications** > **All applications** and select the application for SonarQube Community Build.
5. Select **Require verification certificates**.
6. Upload the public key certificate.
7. Save. The **Verification certificates** section shows **1** active certificate.
## Step 3: Configure the security feature(s) in SonarQube Community Build
To configure the resquest signing and/or the assertion decryption in SonarQube Community Build:
1. Go to **Administration** > **Configuration** > **General Settings** > **Authentication** > **SAML**.
2. In **SAML Configuration** > **SAML**, select **Edit**. The **Edit SAML configuration** dialog opens.
3. Copy the PKCS8 private key file contents.
4. Paste it in **Service provider private key.**
5. Copy the self-signed certificate contents.
6. Paste it in **Service provider certificate.**
7. To enable the signing of the SAML requests, select in addition the **Sign requests** option.
8. Select **Save configuration**.
9. Select **Test Configuration**.
## Related pages
* [overview](https://docs.sonarsource.com/sonarqube-community-build/instance-administration/authentication/saml/overview "mention")
* [setup-in-entra-id](https://docs.sonarsource.com/sonarqube-community-build/instance-administration/authentication/saml/ms-entra-id/setup-in-entra-id "mention")
* [setup-in-sq](https://docs.sonarsource.com/sonarqube-community-build/instance-administration/authentication/saml/ms-entra-id/setup-in-sq "mention")
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.sonarsource.com/sonarqube-community-build/instance-administration/authentication/saml/ms-entra-id/optional-security-features.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.