Setting up optional security features for SAML with Microsoft Entra ID
Once you have registered SonarQube Community Build in Microsoft Entra, you can set up the following security features:
- The encryption of SAML assertions emitted by Microsoft Entra ID for SonarQube Community Build. For more information, see SAML token encryption in Entra ID.
- The signing of the SAML requests from SonarQube Community Build to Entra ID. For more information, see Enforce signed SAML authentication requests.
The same key pair is used for both security features (encryption and signing).
Step 1: Generate the asymmetric key pair and certificate
Generate the asymmetric key pair to use for encryption (PKCS8). The public key should be stored in an X.509 certificate file in .cer format. You can copy the contents of the certificate file to a text editor and save it as a .cer file. The certificate file should contain only the public key, not the private key.
Step 2: Configure the security feature(s) in Microsoft Entra ID
To enable the encryption of SAML assertions
Add the certificate to the Microsoft Entra ID application you created for SonarQube Community Build:
- Go to Identity > Applications > Enterprise applications > All applications and select the application for SonarQube Community Build.
- On the application's page, select Token encryption.
- On the Token encryption page, select Import Certificate to import the
.cerfile that contains your public X.509 certificate. - Once the certificate is imported, activate encryption by selecting the three dots next to the thumbprint status and then selecting Activate token encryption.
5. Select Yes to confirm activation of the token encryption certificate.
6. Confirm that the SAML assertions emitted for the application are encrypted.
If you use encryption, enforce response signature
- In Microsoft Entra ID, go to Identity > Applications > Enterprise applications > All applications and select the application for SonarQube Community Build.
- On the application's page, select Single sign-on.
- In SAML Certificates > Token signing certificates, select Edit. The SAML Signing Certificate dialog opens.
- In Signing option, enforce the response signature. It means, select either the Sign SAML Response or Sign SAML response and assertion option.
- Save.
To enable the signing verification
- In Microsoft Entra ID, go to Identity > Applications > Enterprise applications > All applications and select the application for SonarQube Community Build.
- On the application's page, select Single sign-on.
- In SAML Certificates > Verification certificates, select Edit.
- Go to Identity > Applications > Enterprise applications > All applications and select the application for SonarQube Community Build.
- Select Require verification certificates.
- Upload the public key certificate.
- Save. The Verification certificates section shows 1 active certificate.
Step 3: Configure the security feature(s) in SonarQube Community Build
To configure the resquest signing and/or the assertion decryption in SonarQube Community Build:
- Go to Administration > Configuration > General Settings > Authentication > SAML.
- In SAML Configuration > SAML, select Edit. The Edit SAML configuration dialog opens.
- Copy the PKCS8 private key file contents.
- Paste it in Service provider private key.
- Copy the self-signed certificate contents.
- Paste it in Service provider certificate.
- To enable the signing of the SAML requests, select in addition the Sign requests option.
- Select Save configuration.
- Select Test Configuration.
Related pages
Was this page helpful?
© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.
