Setup of security features

Once you have registered SonarQube Server in PingOne or PingFederate, you can set up the following security features:

• The signing of the SAML requests from SonarQube Server to the Ping Identity provider.

• The encryption of SAML assertions emitted by the Ping Identity provider for SonarQube Server.

To enable the signing of SAML requests and the encryption of SAML assertions, you need to provide two things (the same key pair is used for both security features) :

• Service provider private key: PKCS8-stored private key.

• Service provider certificate: X.509 certificate.

Step 1: Generate the private key and certificate

1. On the machine running SonarQube Server, open a command line.

2. Generate a Certificate Signing Request (CSR) with a new private key and certificate request. Example: openssl req -sha256 -nodes -newkey rsa:2048 -keyout sonar.key -out sonar.csr where:

   • sonar.key is the name of the private key output.

   • sonar.csr is the name of the certificate request output.

3. Press Enter. You will be presented with a series of prompts.

4. Input Country, State, etc. Make sure that the server FQDN input matches your SonarQube Server base URL, see Server base URL.

5. Convert the certificate request into PEM format. Example: openssl req -inform PEM -in sonar.csr -out sonar.pem where:

   • sonar.csr is the certificate request from the previous step.

   • sonar.pem is the name of the converted CSR output.

6. Generate a self-signed certificate starting from an existing certificate as a CRT file. Example: openssl x509 -req -in sonar.pem -signkey sonar.key -out sonar.crt where:

   • sonar.pem is the CSR in PEM format from the previous step.

   • sonar.key is the private key from a previous step.

   • sonar.crt is the final self-signed certificate output.

7. Convert the private key to PKCS#8 format using the following command: openssl pkcs8 -topk8 -in sonar.key -out pkcs8.key -nocrypt

Step 2: Configure the security feature(s) in the Ping Identity provider

1. In PingOne, retrieve the SAML application you created in Setup in Ping Identity. To do so, go to Applications > Applications and open the SAML application’s details page.

2. Go to the Configuration tab.

3. Select the pencil icon.

To enable the encryption of SAML assertions

1. In the Signing Key section, enforce the response signing. It means, select the Sign Response or Sign Assertion & Response option.

2. In the Encryption section:

   • Select Enable Encryption.

   • In Algorithm, set AES_256.

   • In Certificate, upload the provider certificate file generated in step 1 above.

3. Select Save.

To enable the signing verification

1. Select the Enforce Signed AuthRequest option.

2. In the Verification Certificate section, upload the provider certificate file generated in step 1 above.

3. Select Save.

Step 3: Configure the security feature(s) in SonarQube Server

To configure the resquest signing and/or the assertion decryption in SonarQube Server:

1. Go to Administration > Configuration > General Settings > Authentication > SAML.

2. In SAML Configuration > SAML, select Edit. The Edit SAML configuration dialog opens.

3. Copy the PKCS8 private key file contents.

4. Paste it in Service provider private key.

5. Copy the self-signed certificate contents.

6. Paste it in Service provider certificate.

7. To enable the signing of the SAML requests, select in addition the Sign requests option.

8. Select Save configuration.

9. Select Test Configuration.

Related pages

• Overview of SAML support

• Setup in Ping Identity

• Setup in SonarQube Server