This version of the SonarQube documentation is no longer maintained. It relates to a version of SonarQube that is not active.
Start Free

Setup of security features

To improve security, you can set up the encryption of SAML assertions sent by Ping Identity and the signing of SAML requests sent by SonarQube.

Once you have Setup in Ping Identity, you can set up the following security features:

  • The encryption of SAML assertions emitted by the Ping Identity provider for SonarQube.

  • The signing of the SAML requests from SonarQube to the Ping Identity provider.

Setting up the encryption of SAML assertions

To enable the encryption of SAML assertions, you need to provide two things:

  • Service provider private key: PKCS8-stored private key used for signing the requests and decrypting responses from the identity provider.

  • Service provider certificate: X.509 certificate for the service provider used for signing the requests.

Follow the steps below.

Step 1: Generate the private key and certificate

  1. On the machine running SonarQube server, open a command line.

  2. Generate a Certificate Signing Request (CSR) with a new private key and certificate request. Example: openssl req -sha256 -nodes -newkey rsa:2048 -keyout sonar.key -out sonar.csr where:

    • sonar.key is the name of the private key output.

    • sonar.csr is the name of the certificate request output.

  3. Press Enter. You will be presented with a series of prompts.

  4. Input Country, State, etc. Make sure that the server FQDN input matches your Server base URL.

  5. Convert the certificate request into PEM format. Example: openssl req -inform PEM -in sonar.csr -out sonar.pem where:

    • sonar.csr is the certificate request from the previous step.

    • sonar.pem is the name of the converted CSR output.

  6. Generate a self-signed certificate starting from an existing certificate as a CRT file. Example: openssl x509 -req -in sonar.pem -signkey sonar.key -out sonar.crt where:

    • sonar.pem is the CSR in PEM format from the previous step.

    • sonar.key is the private key from the previous step.

    • sonar.crt is the final self-signed certificate output.

  7. Convert the private key to PKCS#8 format using the following command: openssl pkcs8 -topk8 -in sonar.key -out pkcs8.key -nocrypt

Step 2: Configure the encryption in the Ping Identity provider

  1. In PingOne, retrieve the SAML application you created in Setup in Ping Identity (To do so, go to Applications > Applications and open the SAML application’s details page).

  2. Go to the Configuration tab.

  3. Select the pencil icon.

  4. In the Encryption section:

    • Select Enable Encryption.

    • In Algorithm, set AES_256.

    • In Certificate, upload the provider certificate file generated in step 1 above.

  5. Select Save.

Step 3: Configure the encryption in SonarQube

  1. Go to Administration > Configuration > General Settings > Authentication > SAML.

  2. In SAML Configuration > SAML, select Edit. The Edit SAML configuration dialog opens.

  3. Copy the PKCS8 private key file contents.

  4. Paste it in Service provider private key.

  5. Copy the self-signed certificate contents.

  6. Paste it in Service provider certificate.

  7. Select Save configuration.

  8. Select Test Configuration.

Setting up the signing of SAML requests

You can set up the signing and verification of the SAML requests sent by SonarQube to the Ping Identity provider. To do so:

  1. Set up the encryption of SAML assertions as explained above.

  2. In SonarQube, do the following additional setting: In the SAML configuration, select the Sign requests option.

Related pages

PreviousSetup in SonarQubeNextWith SCIM provisioning

Last updated

Was this helpful?