# Setup of security features

Once you have [setup-in-ping-identity](https://docs.sonarsource.com/sonarqube-server/10.7/instance-administration/authentication/saml/ping-identity/setup-in-ping-identity "mention"), you can set up the following security features:

* The encryption of SAML assertions emitted by the Ping Identity provider for SonarQube.
* The signing of the SAML requests from SonarQube to the Ping Identity provider.

## Setting up the encryption of SAML assertions <a href="#encryption" id="encryption"></a>

To enable the encryption of SAML assertions, you need to provide two things:

* Service provider private key: PKCS8-stored private key used for signing the requests and decrypting responses from the identity provider.
* Service provider certificate: X.509 certificate for the service provider used for signing the requests.

Follow the steps below.

<details>

<summary>Step 1: Generate the private key and certificate</summary>

1. On the machine running SonarQube server, open a command line.
2. Generate a Certificate Signing Request (CSR) with a new private key and certificate request.\
   Example:\
   `openssl req -sha256 -nodes -newkey rsa:2048 -keyout sonar.key -out sonar.csr`\
   where:
   * `sonar.key` is the name of the private key output.
   * `sonar.csr` is the name of the certificate request output.
3. Press **Enter**. You will be presented with a series of prompts.
4. Input Country, State, etc. Make sure that the server FQDN input matches your [server-base-url](https://docs.sonarsource.com/sonarqube-server/10.7/instance-administration/server-base-url "mention").
5. Convert the certificate request into PEM format.\
   Example:\
   `openssl req -inform PEM -in sonar.csr -out sonar.pem`\
   where:
   * `sonar.csr` is the certificate request from the previous step.
   * `sonar.pem` is the name of the converted CSR output.
6. Generate a self-signed certificate starting from an existing certificate as a CRT file.\
   Example:\
   `openssl x509 -req -in sonar.pem -signkey sonar.key -out sonar.crt`\
   where:
   * `sonar.pem` is the CSR in PEM format from the previous step.
   * `sonar.key` is the private key from the previous step.
   * `sonar.crt` is the final self-signed certificate output.
7. Convert the private key to PKCS#8 format using the following command:\
   `openssl pkcs8 -topk8 -in sonar.key -out pkcs8.key -nocrypt`

</details>

<details>

<summary>Step 2: Configure the encryption in the Ping Identity provider</summary>

1. In PingOne, retrieve the SAML application you created in [setup-in-ping-identity](https://docs.sonarsource.com/sonarqube-server/10.7/instance-administration/authentication/saml/ping-identity/setup-in-ping-identity "mention") (To do so, go to **Applications > Applications** and open the SAML application’s details page).
2. Go to the **Configuration** tab.
3. Select the pencil icon.
4. In the **Encryption** section:
   * Select **Enable Encryption**.
   * In **Algorithm**, set **AES\_256**.
   * In **Certificate**, upload the provider certificate file generated in step 1 above.
5. Select **Save**.

![](https://3272878703-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FI10pmJWeVVXYITlQJllp%2Fuploads%2Fgit-blob-fe24e01493e6ea2d03ed11fd3e42885e95f0525d%2Fb5c672264d0f003758e5d11cecb0b5a55b9d22cc.png?alt=media)

</details>

<details>

<summary>Step 3: Configure the encryption in SonarQube</summary>

1. Go to **Administration > Configuration > General Settings > Authentication > SAML**.
2. In **SAML Configuration > SAML**, select **Edit**. The **Edit SAML configuration** dialog opens.
3. Copy the PKCS8 private key file contents.
4. Paste it in **Service provider private key.**
5. Copy the self-signed certificate contents.
6. Paste it in **Service provider certificate.**
7. Select **Save configuration**.
8. Select **Test Configuration**.

</details>

## Setting up the signing of SAML requests <a href="#signature" id="signature"></a>

You can set up the signing and verification of the SAML requests sent by SonarQube to the Ping Identity provider. To do so:

1. Set up the encryption of SAML assertions as explained above.
2. In SonarQube, do the following additional setting: In the SAML configuration, select the **Sign requests** option.

## Related pages <a href="#related-pages" id="related-pages"></a>

* [overview](https://docs.sonarsource.com/sonarqube-server/10.7/instance-administration/authentication/saml/overview "mention")
* [setup-in-ping-identity](https://docs.sonarsource.com/sonarqube-server/10.7/instance-administration/authentication/saml/ping-identity/setup-in-ping-identity "mention")
* [setup-in-sq](https://docs.sonarsource.com/sonarqube-server/10.7/instance-administration/authentication/saml/ping-identity/setup-in-sq "mention")