# Setup of security features

Once you have [Setup in Ping Identity](/sonarqube-server/10.8/instance-administration/authentication/saml/ping-identity/setup-in-ping-identity.md), you can set up the following security features:

* The encryption of SAML assertions emitted by the Ping Identity provider for in SonarQube Server.
* The signing of the SAML requests from SonarQube Server to the Ping Identity provider.

## Setting up the encryption of SAML assertions <a href="#encryption" id="encryption"></a>

To enable the encryption of SAML assertions, you need to provide two things:

* Service provider private key: PKCS8-stored private key used for signing the requests and decrypting responses from the identity provider.
* Service provider certificate: X.509 certificate for the service provider used for signing the requests.

Follow the steps below.

<details>

<summary>Step 1: Generate the private key and certificate</summary>

1. On the machine running SonarQube Server, open a command line.
2. Generate a Certificate Signing Request (CSR) with a new private key and certificate request.\
   Example:\
   `openssl req -sha256 -nodes -newkey rsa:2048 -keyout sonar.key -out sonar.csr`\
   where:
   * `sonar.key` is the name of the private key output.
   * `sonar.csr` is the name of the certificate request output.
3. Press **Enter**. You will be presented with a series of prompts.
4. Input Country, State, etc. Make sure that the server FQDN input matches your [Server base URL](/sonarqube-server/10.8/instance-administration/server-base-url.md).
5. Convert the certificate request into PEM format.\
   Example:\
   `openssl req -inform PEM -in sonar.csr -out sonar.pem`\
   where:
   * `sonar.csr` is the certificate request from the previous step.
   * `sonar.pem` is the name of the converted CSR output.
6. Generate a self-signed certificate starting from an existing certificate as a CRT file.\
   Example:\
   `openssl x509 -req -in sonar.pem -signkey sonar.key -out sonar.crt`\
   where:
   * `sonar.pem` is the CSR in PEM format from the previous step.
   * `sonar.key` is the private key from a previous step.
   * `sonar.crt` is the final self-signed certificate output.
7. Convert the private key to PKCS#8 format using the following command:\
   `openssl pkcs8 -topk8 -in sonar.key -out pkcs8.key -nocrypt`

</details>

<details>

<summary>Step 2: Configure the encryption in the Ping Identity provider</summary>

1. In PingOne, retrieve the SAML application you created in [Setup in Ping Identity](/sonarqube-server/10.8/instance-administration/authentication/saml/ping-identity/setup-in-ping-identity.md) (To do so, go to **Applications > Applications** and open the SAML application’s details page).
2. Go to the **Configuration** tab.
3. Select the pencil icon.
4. In the **Encryption** section:
   * Select **Enable Encryption**.
   * In **Algorithm**, set **AES\_256**.
   * In **Certificate**, upload the provider certificate file generated in step 1 above.
5. Select **Save**.

![](/files/tV0ojEOotQPEJ7vGPVO9)

</details>

<details>

<summary>Step 3: Configure the encryption in SonarQube Server</summary>

1. Go to **Administration > Configuration > General Settings > Authentication > SAML**.
2. In **SAML Configuration > SAML**, select **Edit**. The **Edit SAML configuration** dialog opens.
3. Copy the PKCS8 private key file contents.
4. Paste it in **Service provider private key.**
5. Copy the self-signed certificate contents.
6. Paste it in **Service provider certificate.**
7. Select **Save configuration**.
8. Select **Test Configuration**.

</details>

## Setting up the signing of SAML requests <a href="#signature" id="signature"></a>

You can set up the signing and verification of the SAML requests sent by SonarQube Server to the Ping Identity provider. To do so:

1. Set up the encryption of SAML assertions as explained above.
2. In SonarQube Server, do the following additional setting: In the SAML configuration, select the **Sign requests** option.

## Related pages <a href="#related-pages" id="related-pages"></a>

* [Overview](/sonarqube-server/10.8/instance-administration/authentication/saml/overview.md)
* [Setup in Ping Identity](/sonarqube-server/10.8/instance-administration/authentication/saml/ping-identity/setup-in-ping-identity.md)
* [Setup in SonarQube Server](/sonarqube-server/10.8/instance-administration/authentication/saml/ping-identity/setup-in-sq.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sonarsource.com/sonarqube-server/10.8/instance-administration/authentication/saml/ping-identity/optional-security-features.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.