With Keycloak
Setting up SAML authentication with Keycloak in your SonarQube Server instance.
To integrate Keycloak (the identity provider) with SonarQube Server (the service provider), both sides need to be configured, first in Keycloak, then in SonarQube Server. In addition, you may want to set up security features.
Set up Keycloak
Prerequisites
You have created in Keycloak a realm that you want to use with SonarQube.
The SonarQube Server URL is correctly set in SonarQube Server. See Server base URL.
Create a new SAML client
Sign in to your Keycloak administration console.
Select the realm to be used to interact with SonarQube.
In the left navigation panel, select Clients.
[A]: The current realm must be the realm you want to use to interact with SonarQube.
Select the Create client button.
In General settings, set the following parameters and click Next.
Client type: SAML
Client ID: Identifier of the SonarQube application in Keycloak. Any name can be used but it must not contain whitespace, e.g. sonarqube.
In Login settings, set the following parameter:
Valid redirect URIs: Must be in the format:
<SonarQubeBaseURL>/oauth2/callback/samlExample:https://sonarqube.mycompany.com/oauth2/callback/saml
Select Save. The client is created.
The client signature is enabled by default. Disable this setting if you are not using advanced security features (see Set up security features below): In the Keys tab of the SAML client used for SonarQube, disable Client signature required.
Set up mappers
In the left navigation panel, select the Clients menu. Then select the client you created earlier.
Select Client scopes, then <nameOfYourClient>-dedicated.
Create different mappers as described in the table below. To create a mapper, select Configure a new mapper or Add mapper > By configuration.
Login
User Property
Login
username
Note: This value should not contain any special characters other than ., -, _, and @, to meet SonarQube restrictions.
login
x
Name
User Property
Name
username or another attribute that you previously specified for the users.)
name
x
User Property
Email
email
email
If you use Just-in-Time provisioning with the group synchronization feature:
Verify the user groups in SonarQube Server. For more information, see Just-in-Time provisioning.
Select Add mapper > By Configuration and add a groups mapper by using one of the two options described below.
If you rely on a list of groups defined in Groups.
Group list
Groups
groups
ON
OFF
If you rely on a list of roles defined in Roles of the realm, not in Roles of the client.
Role list
Groups
groups
ON
n/a
Set up SonarQube Server
Open the IdP metadata file from Keycloak
Sign in to your Keycloak administration console.
Select the realm you use to interact with SonarQube.
In the left navigation panel, select Realm settings.
At the bottom of the General tab, you should see a SAML 2.0 Identity Provider Metadata endpoint. Select the link to open a new tab with the metadata or right-click to download it.
Configure SonarQube Server
In your SonarQube Server instance, go to Administration > Configuration > General Settings > Authentication> SAML.
Select Create Configuration.
Fill in the fields as explained in the table below.
Application ID
The value of the Client ID you set in Keycloak.
Example: sonarqube
Provider name
Name of the Identity Provider displayed on the SonarQube Server login page when SAML authentication is active.
Provider ID
The value of the EntityDescriptor > entityID attribute in the IdP metadata file. This can be found in Keycloak in Your realm > Realm settings > General > SAML 2.0 Identity Provider Metadata.
Example: http://keycloak:8080/realms/sonarqube
SAML login URL
The value of SingleSignOnService > Location attribute in the IdP metadata file. This can be found in Keycloak in Your realm > Realm settings > General > SAML 2.0 Identity Provider Metadata.
Example: http://<SonarQubeBaseUrl>/realms/SonarQube2025/protocol/saml
Identity provider certificate
Copy-paste the realm’s certificate. It can be found in Keycloak:
In Your realm > Realm settings > General > SAML 2.0 Identity Provider Metadata.
or in Your realm > Realm Settings > Keys > RS256 and select Certificate.
SAML user login attribute
The SAML attribute name configured for the login attribute.
Example: login
SAML user name attribute
The SAML attribute name configured for the name attribute.
Example: name
SAML user email attribute
Optional. The SAML attribute name configured for the email attribute.
Example: email
SAML group attribute
Optional. The SAML attribute name configured for the groups attribute if you use the Just-in-Time provisioning group synchronization feature. For more information, see Just-in-Time provisioning.
Example: groups
Set up security features
To improve security, you can enable the encryption of SAML assertions sent by Keycloak and the signing of SAML requests sent by SonarQube Server. Once you have registered the SonarQube Server in Keycloak, you can set up the following security features:
The encryption of SAML assertions emitted by Keycloak for SonarQube Server.
The signing of the SAML requests from SonarQube Server to Keycloak.
To enable the encryption of SAML assertions or the signing of SAML requests, you need to provide two things (the same key pair is used for both security features) :
Service provider private key: PKCS8-stored private key.
Service provider certificate: X.509 certificate.
Configure the security features in Keycloak
You can enable the signing of SAML requests and/or the encryption of SAML assertions. To enalbe the assertion encryption, follow the steps below. To enable the signed requests, nothing needs to be done in this step.
To enable in Keycloak the encrytpion of SAML assertions:
In Keycloak, go to the Clients section and select the SAML client used for SonarQube.
In the Keys tab of the SAML client, disable Signing key config if not already done and enable Encrypt assertions in Encryption keys config. A dialog opens to generate a paired private key and certificate.
Select the Generate button. A pop-up indicates that the key pair and certificate have been successfully generated (if it's not the case, make sure pop-ups are not blocked on your browser): the
private.keyfile has been downloaded to your local folder.Select Confirm. The dialog closes.
Convert the private key to PKCS#8 format
You have to convert the Keycloak private.key into a pkcs8.key, which is SonarQube compatible. To do so, use a shell script based on the example below. In this example, the private.key downloaded from Keycloak is located in the same folder as where the script is run. Modify the script as needed.
The resulting file should look like this:
Configure the security features in SonarQube Server
To configure both the SAML request signing and the SAML assertion encryption features
In Keycloak, retrieve the SAML client used for SonarQube and go to the Keys tab.
Copy the certificate value in Encryption keys config.
In SonarQube Server, go to Administration > Configuration > General Settings > Authentication > SAML.
In SAML Configuration > SAML, select Edit. The Edit SAML configuration dialog opens.
In Service provider certificate, paste the certificate value copied from Keycloak.
Open your
pkcs8.keyfile and copy its content. Remember thatpkcs8.keycontents are all on one line as shown in 2. Convert the private key to PKCS#8 format above.In SonarQube Server, paste this value in Service provider private key.
To enable the signing of the SAML requests, enable the Sign requests toggle.
Select Save configuration.
Select Test Configuration to verify.
To configure the SAML assertion encryption feature only
Follow the steps above, but ensure you the Sign requests toggle is disabled.
Both Service provider private key and Service provider certificate should be set (should not be not empty).
Last updated
Was this helpful?