# Setup of security features

Once you have [setup-in-entra-id](https://docs.sonarsource.com/sonarqube-server/10.7/instance-administration/authentication/saml/ms-entra-id/setup-in-entra-id "mention"), you can set up the following security features:

* The encryption of SAML assertions emitted by Microsoft Entra ID for SonarQube.
* The signing of the SAML requests from SonarQube to Entra ID.

## Setting up the encryption of SAML assertions <a href="#encryption" id="encryption"></a>

You can set up the encryption of the SAML assertions Microsoft Entra ID emits for SonarQube. For more information, see [SAML token encryption in Entra ID](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/howto-saml-token-encryption?tabs=azure-portal).

{% hint style="info" %}
The same key pair is used for both security features (encryption and signing).
{% endhint %}

Proceed as follows:

1. If not already done, generate the asymmetric key pair to use for encryption (PKSC8). The public key should be stored in an X.509 certificate file in .cer format. You can copy the contents of the certificate file to a text editor and save it as a `.cer` file. The certificate file should contain only the public key, not the private key.
2. Add the private key in SonarQube:
   * Go to **Administration > Configuration > General Settings > Authentication > SAML**.
   * In **SAML Configuration > SAML**, select **Edit**. The **Edit SAML configuration** dialog opens.
   * Copy the private key value to **Service provider private key**.
3. Add the certificate to the SonarQube application in Microsoft Entra ID:
   * Go to **Identity** > **Applications** > **Enterprise applications** > **All applications** and select the SonarQube application.
   * On the application’s page, select **Token encryption**.
   * On the Token encryption page, select **Import Certificate** to import the `.cer` file that contains your public X.509 certificate.
   * Once the certificate is imported, activate encryption by selecting the three dots next to the thumbprint status and then selecting **Activate token encryption**.

![](https://3272878703-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FI10pmJWeVVXYITlQJllp%2Fuploads%2Fgit-blob-e17b624741f5ea7e19e25cd311c26535326733a5%2Fd1e684b73b7ee40f630538479f191cb570996161.png?alt=media)

* * Select **Yes** to confirm activation of the token encryption certificate.
  * Confirm that the SAML assertions emitted for the application are encrypted.

## Setting up the signing of SAML requests <a href="#signature" id="signature"></a>

You can set up the signing and verification of the SAML requests sent by SonarQube to Entra ID. For more information, see [Enforce signed SAML authentication requests](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/howto-enforce-signed-saml-authentication).

{% hint style="info" %}
The same key pair is used for both security features (encryption and signing).
{% endhint %}

Proceed as follows:

1. If not already done, generate the asymmetric key pair to use for signing (PKSC8). The public key should be stored in an X.509 certificate file in .cer format. You can copy the contents of the certificate file to a text editor and save it as a `.cer` file. The certificate file should contain only the public key, not the private key.
2. Set up the signing in SonarQube:
   * Go to **Administration > Configuration > General Settings > Authentication > SAML**.
   * In **SAML Configuration > SAML**, select **Edit**. The **Edit SAML configuration** dialog opens.
   * Enable the **Sign requests** option.
   * In **Service provider private key**, enter the private key value.
   * In **Service provider certificate**, enter the certificate.
3. Set up the signature verification in Microsoft Entra ID:
   * Go to **Identity** > **Applications** > **Enterprise applications** > **All applications and** select the SonarQube application.
   * On the application’s page, select **Single sign-on**.
   * In **SAML Certificates > Verification certificates**, select **Edit**.
   * Select **Require verification certificates**.
   * Upload the public key certificate.
   * Save. The **Verification certificates** section shows **1** active certificate.

![](https://3272878703-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FI10pmJWeVVXYITlQJllp%2Fuploads%2Fgit-blob-33e3f1009fc57da6b9fd15979ebbce8f89c35f89%2F880f09a0daf0c0bee87167f64bcfa388c21e2dcd.png?alt=media)

## Related pages <a href="#related-pages" id="related-pages"></a>

* [overview](https://docs.sonarsource.com/sonarqube-server/10.7/instance-administration/authentication/saml/overview "mention")
* [setup-in-entra-id](https://docs.sonarsource.com/sonarqube-server/10.7/instance-administration/authentication/saml/ms-entra-id/setup-in-entra-id "mention")
* [setup-in-sq](https://docs.sonarsource.com/sonarqube-server/10.7/instance-administration/authentication/saml/ms-entra-id/setup-in-sq "mention")
* [scim-provisioning-with-azure-ad](https://docs.sonarsource.com/sonarqube-server/10.7/instance-administration/authentication/saml/scim/scim-provisioning-with-azure-ad "mention")