# Setup of security features

Once you have registered SonarQube Server in PingOne or PingFederate, you can set up the following security features:

* The encryption of SAML assertions emitted by the Ping Identity provider for in SonarQube Server.
* The signing of the SAML requests from SonarQube Server to the Ping Identity provider.

To enable the encryption or signing of SAML assertions, you need to provide two things (the same key pair is used for both security features) :

* Service provider private key: PKCS8-stored private key.
* Service provider certificate: X.509 certificate.

## Step 1: Generate the private key and certificate <a href="#generate-private-key" id="generate-private-key"></a>

1. On the machine running SonarQube Server, open a command line.
2. Generate a Certificate Signing Request (CSR) with a new private key and certificate request.\
   Example:\
   `openssl req -sha256 -nodes -newkey rsa:2048 -keyout sonar.key -out sonar.csr`\
   where:
   * `sonar.key` is the name of the private key output.
   * `sonar.csr` is the name of the certificate request output.
3. Press **Enter**. You will be presented with a series of prompts.
4. Input Country, State, etc. Make sure that the server FQDN input matches your SonarQube Server base URL, see [server-base-url](https://docs.sonarsource.com/sonarqube-server/2025.2/instance-administration/server-base-url "mention").
5. Convert the certificate request into PEM format.\
   Example:\
   `openssl req -inform PEM -in sonar.csr -out sonar.pem`\
   where:
   * `sonar.csr` is the certificate request from the previous step.
   * `sonar.pem` is the name of the converted CSR output.
6. Generate a self-signed certificate starting from an existing certificate as a CRT file.\
   Example:\
   `openssl x509 -req -in sonar.pem -signkey sonar.key -out sonar.crt`\
   where:
   * `sonar.pem` is the CSR in PEM format from the previous step.
   * `sonar.key` is the private key from a previous step.
   * `sonar.crt` is the final self-signed certificate output.
7. Convert the private key to PKCS#8 format using the following command:\
   `openssl pkcs8 -topk8 -in sonar.key -out pkcs8.key -nocrypt`

## Step 2: Configure the security feature(s) in the Ping Identity provider <a href="#configure-in-pid" id="configure-in-pid"></a>

1. In PingOne, retrieve the SAML application you created in [setup-in-ping-identity](https://docs.sonarsource.com/sonarqube-server/2025.2/instance-administration/authentication/saml/ping-identity/setup-in-ping-identity "mention"). To do so, go to **Applications > Applications** and open the SAML application’s details page).
2. Go to the **Configuration** tab.
3. Select the pencil icon.

<details>

<summary>To enable the encryption of SAML assertions</summary>

1. In the **Signing Key** section, enforce the response signing. It means, select the **Sign Response** or **Sign Assertion & Response** option.
2. In the **Encryption** section:
   * Select **Enable Encryption**.
   * In **Algorithm**, set **AES\_256**.
   * In **Certificate**, upload the provider certificate file generated in step 1 above.
3. Select **Save**.

![](https://3577027091-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F69lEOGGgOhCpumODGD9v%2Fuploads%2Fgit-blob-fd8b58215b40ab6ef27d0f3ca8b5d31f01b756fb%2Fe6a13944bfb980eb5eaa8c8cda4ccd429ea3a9f2.png?alt=media)

</details>

<details>

<summary>To enable the signing verification</summary>

1. Select the **Enforce Signed AuthRequest** option.
2. In the **Verification Certificate** section, upload the provider certificate file generated in step 1 above.
3. Select **Save**.

![](https://3577027091-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F69lEOGGgOhCpumODGD9v%2Fuploads%2Fgit-blob-decc1c11c8d9d2474ffc572bd3732d0c048fbfc0%2F652e9ee7de9f1d83d573fcd7a90dc11846b6b504.png?alt=media)

</details>

## Step 3: Configure the security feature(s) in SonarQube Server <a href="#configure-in-sq" id="configure-in-sq"></a>

To configure the resquest signing and/or the assertion decryption in SonarQube Server:

1. Go to **Administration > Configuration > General Settings > Authentication > SAML**.
2. In **SAML Configuration > SAML**, select **Edit**. The **Edit SAML configuration** dialog opens.
3. Copy the PKCS8 private key file contents.
4. Paste it in **Service provider private key.**
5. Copy the self-signed certificate contents.
6. Paste it in **Service provider certificate.**
7. To enable the signing of the SAML requests, select in addition the **Sign requests** option.
8. Select **Save configuration**.
9. Select **Test Configuration**.

## Related pages <a href="#related-pages" id="related-pages"></a>

* [overview](https://docs.sonarsource.com/sonarqube-server/2025.2/instance-administration/authentication/saml/overview "mention")
* [setup-in-ping-identity](https://docs.sonarsource.com/sonarqube-server/2025.2/instance-administration/authentication/saml/ping-identity/setup-in-ping-identity "mention")
* [setup-in-sq](https://docs.sonarsource.com/sonarqube-server/2025.2/instance-administration/authentication/saml/ping-identity/setup-in-sq "mention")