# How to setup Azure AD
The following content may be useful if you’re using Azure AD as a SAML identity provider.
To integrate Azure AD (identity provider) with SonarQube (service provider), both sides need to be configured.
For SonarQube, navigate to **Administration** > **Authentication** > **SAML** and click **Create.** This will open a pop-up window with all the fields that you’ll need during the procedure. For Azure AD, login to Azure and navigate to Azure AD.
## Set up the SonarQube application in Azure AD
**Step 1**: In Azure AD, navigate to **Enterprise applications** and add a **New Application**.
The Azure navigation path to create a new application for your SonarQube SAML authentication.
**Step 2**: Create your **own application** and fill in the **name**.
Create a new Enterprise application for SonarQube when setting up SAML authentication in Azure.
## Link SonarQube with Azure AD
**Step 1**: Navigate to **Single sign-on** and select **SAML**.
Navigate to Single sign-on in Azure and select SAML to begin the authentication process.
**Step 2**: Edit the **Basic SAML Configuration** and fill in the **Identifier** and the **Reply URL** fields. The **Identifier** has to be the same as the **Application ID** in SonarQube. The **Reply URL** must have the format `/oauth2/callback/saml`. The **Reply URL** uses the **Server base URL** provided in SonarQube under **Administration** > **General**.
When setting up your SSO with SAML, edit the Basic SAML Configuration and fill in the Identifier and the Reply URL.
**Step 3**: Make sure that the **Application ID** in SonarQube has the same value as the **Identifier** in the Identity Provider.
Confirm that the Application ID in SonarQube has the same value as the Identifier in the Identity provider.
**Step 4**: In the Azure AD SAML configuration, navigate to **Set up** and copy the **Login URL** and **Azure AD Identifier**.
In the Azure AD SAML configuration, navigate to Set up and copy the Login URL and Azure AD Identifier.
**Step 5**: Paste the **Login URL** into the **SAML login url** and the **Azure AD Identifier** into the **Provider ID** field in the SonarQube SAML configuration.
Paste the Azure AD Identifier into the Provider ID field and the Login URL into the SAML login url into your SonarQube SAML configuration.
## Attributes and claims
**Step 1**: In the Azure AD SAML configuration, edit **Attributes & Claims** to view, edit or add attributes.
Edit Attributes & Claims to view, edit or add attributes when configuring SAML authentication in Azure.
SonarQube uses the following attributes:
* * **Login** (required) A unique name to identify the user in SonarQube. The default Azure AD attribute `emailaddress` is used in the example. You can also use the `objectID` attribute.
* **Name** (required) The full name of the user. The default Azure AD attribute `givenname` is used in the example.
* **Email** (optional) The email of the user.
* **Group** (optional) Supports mapping to group names in SonarQube. Group name passed by Azure AD and the group name in SonarQube should match. Otherwise, the default **sonar-users** group is assigned.
{% hint style="warning" %}
The **NameID** attribute is *not* used in SonarQube.
{% endhint %}
**Step 2**: Corresponding configuration in SonarQube. The namespace + name of the attribute should be used, as defined in Azure AD.
The corresponding configuration in SonarQube uses the Azure namespace + name of the attribute to be used.
## Certificates and signatures
**Step 1**: Navigate to **SAML Certificates** and download **Certificate (Base64)**.
Navigate to SAML Certificates and download Certificate (Base64).
**Step 2**: The certificate should be copied into the **Identity provider certificate** field in the SonarQube SAML configuration.
**Step 3** (Optional): Encryption for SonarQube requests can be activated by generating an asymmetric key pair. (For more information, see [SAML token encryption in Azure](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/howto-saml-token-encryption?tabs=azure-portal)) Add the private key in SonarQube.
Copied the Service provider private key field value to add to your SonarQube SAML configuration.
Import the public key certificate (.cer) file in Azure AD and activate token encryption.
Import the public key certificate (.cer) file in Azure AD and activate token encryption for your SonarQube SAML authentication.
**Step 4** (Optional): Azure AD supports signed SAML requests from the Service Provider (under Preview). Edit the **Verification certificates**, upload a certificate, and enable the **Require verification certificates** option.
To edit the Verification certificates, upload a certificate and enable the Require verification certificates option.
In SonarQube, fill in the corresponding private key and the same certificate and enable the **Sign requests** option.
In SonarQube, fill in the corresponding private key and the same certificate and enable the Sign requests option.
## Users and groups
In the Azure AD SonarQube application, navigate to **Users and groups** and assign users or groups to the application.
Add SonarQube users and groups when setting up your SAML authentication in Azure.
## Enabling and testing SAML authentication
**Step 1**: Save the SAML configuration by clicking **Save configuration.**
**Step 2**: Before enabling SAML authentication on SonarQube, you can verify that the configuration is correct by clicking **Test Configuration**. This will initiate a SAML login and return useful information about the SAML response obtained from the identity provider.
**Step 3**: Click **Enable configuration**.
**Step 4**: In the login form, the new **Log in with Azure** button (or a custom name specified in the **Provider Name** field) allows users to connect with their SAML account.
## Group synchronization
Group synchronization between Azure AD and SonarQube can be achieved either by using the Azure AD roles or the Azure AD groups. For either case, the corresponding group name should exist in SonarQube under the **Provisioning** section of the **SAML configuration**. Group synchronization only works with the **Just-in-Time user and group provisioning (default)** option.
* For synchronization with the Azure AD groups, a group claim must be added with `sAMAccountName` as a source attribute.
{% hint style="warning" %}
According to Azure, this source attribute only works for groups synchronized from an on-premises Active Directory using AAD Connect Sync 1.2.70.0 or above.
{% endhint %}
Where to map your SAML groups in Azure before you can add a group claim.
Where to enter the key in SonarQube
* For mapping with the Azure AD app roles, an application role should be assigned to the user. Azure AD sends the role claim automatically with `http://schemas.microsoft.com/ws/2008/06/identity/claims/role` as a key. Enter it as **SAML group attribute** in SonarQube.
## Enabling SCIM provisioning
Starting in [Enterprise Edition](https://www.sonarsource.com/plans-and-pricing/enterprise/), once you’ve set up Azure AD as your SAML identity provider, you can set up SCIM provisioning to automate user and group provisioning within Azure AD.
For more information, see [scim-provisioning-with-azure-ad](https://docs.sonarsource.com/sonarqube-server/10.5/instance-administration/authentication/saml/scim/scim-provisioning-with-azure-ad "mention").
## Troubleshooting
**Group limit for SAML tokens**
Azure SAML tokens have a limit regarding the number of groups a user can belong to (see the description of `groups` in the [Claims in SAML Token](https://learn.microsoft.com/en-us/entra/identity-platform/reference-saml-tokens#claims-in-saml-tokens) table). In such cases, you might need to reduce the number of groups the user is in.