How to setup Azure AD

The following content may be useful if you’re using Azure AD as a SAML Identity Provider.

To integrate Azure AD (Identity Provider) with SonarQube (Service Provider), both sides need to be configured.

For SonarQube, navigate to Administration > Authentication > SAML. For Azure AD, login to Azure and navigate to Azure AD.

Set up the SonarQube application in Azure AD

Step 1: In Azure AD, navigate to Enterprise applications and add a New Application.

The Azure navigation path to create a new application for your SonarQube SAML authentication.

Step 2: Create your own application and fill in the name.

Create a new Enterprise application for SonarQube when setting up SAML authentication in Azure.

Link SonarQube with Azure AD

Step 1: Navigate to Single sign-on and select SAML.

Navigate to Single sign-on in Azure and select SAML to begin the authentication process.

Step 2: Edit the Basic SAML Configuration and fill in the Identifier and the Reply URL fields. The Identifier has to be the same as the Application ID in SonarQube. The Reply URL must have the format <Your SonarQube URL>/oauth2/callback/saml. The Reply URL uses the Server base URL provided in SonarQube under Administration > General.

When setting up your SSO with SAML, edit the Basic SAML Configuration and fill in the Identifier and the Reply URL.

Step 3: Make sure that the Application ID in SonarQube has the same value as the Identifier in the Identity Provider.

Confirm that the Application ID in SonarQube has the same value as the Identifier in the Identity provider.

Step 4: In the Azure AD SAML configuration, navigate to Set up and copy the Login URL and Azure AD Identifier.

In the Azure AD SAML configuration, navigate to Set up and copy the Login URL and Azure AD Identifier.

Step 5: Paste the Login URL into the SAML login url and the Azure AD Identifier into the Provider ID field in the SonarQube SAML configuration.

Paste the Azure AD Identifier into the Provider ID field and the Login URL into the SAML login url into your SonarQube SAML configuration.

Attributes and claims

Step 1: In the Azure AD SAML configuration, edit Attributes & Claims to view, edit or add attributes.

Edit Attributes & Claims to view, edit or add attributes when configuring SAML authentication in Azure.

SonarQube uses the following attributes:

• • Login (required) A unique name to identify the user in SonarQube. The default Azure AD attribute emailaddress is used in the example.

  • Name (required) The full name of the user. The default Azure AD attribute givenname is used in the example.

  • Email (optional) The email of the user.

  • Group (optional) Supports mapping to group names in SonarQube. Group name passed by Azure AD and the group name in SonarQube should match. Otherwise, the default sonar-users group is assigned.

Step 2: Corresponding configuration in SonarQube. The namespace + name of the attribute should be used, as defined in Azure AD.

The corresponding configuration in SonarQube uses the Azure namespace + name of the attribute to be used.

Certificates and signatures

Step 1: Navigate to SAML Certificates and download Certificate (Base64).

Navigate to SAML Certificates and download Certificate (Base64).

Step 2: The certificate should be copied into the Identity provider certificate field in the SonarQube SAML configuration.

Step 3 (Optional): Encryption for SonarQube requests can be activated by generating an asymmetric key pair. (For more information, see SAML token encryption in Azure) Add the private key in SonarQube.

Copied the Service provider private key field value to add to your SonarQube SAML configuration.

Import the public key certificate (.cer) file in Azure AD and activate token encryption.

Import the public key certificate (.cer) file in Azure AD and activate token encryption for your SonarQube SAML authentication.

Step 4 (Optional): Azure AD supports signed SAML requests from the Service Provider (under Preview). Edit the Verification certificates, upload a certificate, and enable the Require verification certificates option.

To edit the Verification certificates, upload a certificate and enable the Require verification certificates option.

In SonarQube, fill in the corresponding private key and the same certificate and enable the Sign requests option.

In SonarQube, fill in the corresponding private key and the same certificate and enable the Sign requests option.

Users and groups

Step 1: In the Azure AD SonarQube application, navigate to Users and groups and assign users or groups to the application.

Add SonarQube users and groups when setting up your SAML authentication in Azure.

Group mapping

Group mapping between Azure AD and SonarQube can be achieved either by using the Azure AD roles or the Azure AD groups. For either case, the corresponding group name should exist in SonarQube under Administration > Security > Groups. (For more information, see Security)

• For mapping with the Azure AD groups, a group claim must be added with sAMAccountName as a source attribute.

Where to map your SAML groups in Azure before you can add a group claim.

The attribute used to define your user group in SAML.

• For mapping with the Azure AD app roles, an application role should be assigned to the user. Azure AD sends the role claim automatically with http://schemas.microsoft.com/ws/2008/06/identity/claims/role as a key.

The attribute used to define your user group role in SAML.

Enabling and testing SAML authentication

Step 1: In the SonarQube SAML settings, enable SAML.

Where to enable SAML for Azure from the SonarQube SAML settings.

Step 2: In the login form, the new button Log in with SAML (or a custom name specified in the sonar.auth.saml.providerName setting) allows users to connect with their SAML account.

Log in to SonarQube with your SAML authentication.

Before enabling the SAML authentication on SonarQube, you can verify that the configuration is correct by clicking on Test Configuration. A SAML login will be initiated and useful information about the SAML response obtained from the Identity provider will be returned.