Setting up optional security features for SAML with a Ping Identity provider

Once you have registered SonarQube Community Build in PingOne or PingFederate, you can set up the following security features:

• The encryption of SAML assertions emitted by the Ping Identity provider for in SonarQube Community Build.
• The signing of the SAML requests from SonarQube Community Build to the Ping Identity provider.

To enable the encryption or signing of SAML assertions, you need to provide two things (the same key pair is used for both security features) :

• Service provider private key: PKCS8-stored private key.
• Service provider certificate: X.509 certificate.

Step 1: Generate the private key and certificate

1. On the machine running SonarQube Community Build, open a command line.
2. Generate a Certificate Signing Request (CSR) with a new private key and certificate request.
   Example:
   openssl req -sha256 -nodes -newkey rsa:2048 -keyout sonar.key -out sonar.csr
   where:
   • sonar.key is the name of the private key output.
   • sonar.csr is the name of the certificate request output.
3. Press Enter. You will be presented with a series of prompts.
4. Input Country, State, etc. Make sure that the server FQDN input matches your SonarQube Community Build base URL.
5. Convert the certificate request into PEM format.
   Example:
   openssl req -inform PEM -in sonar.csr -out sonar.pem
   where:
   • sonar.csr is the certificate request from the previous step.
   • sonar.pem is the name of the converted CSR output.
6. Generate a self-signed certificate starting from an existing certificate as a CRT file.
   Example:
   openssl x509 -req -in sonar.pem -signkey sonar.key -out sonar.crt
   where:
   • sonar.pem is the CSR in PEM format from the previous step.
   • sonar.key is the private key from a previous step.
   • sonar.crt is the final self-signed certificate output.
7. Convert the private key to PKCS#8 format using the following command:
   openssl pkcs8 -topk8 -in sonar.key -out pkcs8.key -nocrypt

Step 2: Configure the security feature(s) in the Ping Identity provider

1. In PingOne, retrieve the SAML application you created in Registering SonarQube Community Build in Ping Identity (To do so, go to Applications > Applications and open the SAML application's details page).
2. Go to the Configuration tab.
3. Select the pencil icon.

To enable the encryption of SAML assertions

1. In the Signing Key section, enforce the response signing. It means, select Sign Response or Sign Assertion & Response option.
2. In the Encryption section:
   • Select Enable Encryption.
   • In Algorithm, set AES_256.
   • In Certificate, upload the provider certificate file generated in step 1 above.
3. Select Save.

To enable the signing verification

1. Select the Enforce Signed AuthRequest option.
2. In the Verification Certificate section, upload the provider certificate file generated in step 1 above.
3. Select Save.

Step 3: Configure the security feature(s) in SonarQube Community Build

To configure the resquest signing and/or the assertion decryption in SonarQube Community Build:

1. Go to Administration > Configuration > General Settings > Authentication > SAML.
2. In SAML Configuration > SAML, select Edit. The Edit SAML configuration dialog opens.
3. Copy the PKCS8 private key file contents.
4. Paste it in Service provider private key.
5. Copy the self-signed certificate contents.
6. Paste it in Service provider certificate.
7. To enable the signing of the SAML requests, select in addition the Sign requests option. 
8. Select Save configuration.
9. Select Test Configuration.

Related pages

• SAML overview
• Registering SonarQube Community Build in Ping Identity
• Configuring SAML with Ping Identity in SonarQube Community Build