Setup of security features

To improve security, you can set up the encryption of SAML assertions sent by Microsoft Entra ID and the signing of SAML requests sent by SonarQube Server.

Once you have registered SonarQube Server in Microsoft Entra ID (see Setup in Microsoft Entra ID), you can set up the following security features:

The same key pair is used for both security features (encryption and signing).

Step 1: Generate the asymmetric key pair and certificate

Generate the asymmetric key pair to use for encryption (PKCS8). The public key should be stored in an X.509 certificate file in .cer format. You can copy the contents of the certificate file to a text editor and save it as a .cer file. The certificate file should contain only the public key, not the private key.

Step 2: Configure the security feature(s) in Microsoft Entra ID

To enable the encryption of SAML assertions

Add the certificate to the Microsoft Entra ID application you created for SonarQube Server:

  1. Go to Identity > Applications > Enterprise applications > All applications and select the application for SonarQube Server.

  2. On the application’s page, select Token encryption.

  3. On the Token encryption page, select Import Certificate to import the .cer file that contains your public X.509 certificate.

  4. Once the certificate is imported, activate encryption by selecting the three dots next to the thumbprint status and then selecting Activate token encryption.

Activate encryption in Microsoft Entra ID

  1. Select Yes to confirm activation of the token encryption certificate.

  2. Confirm that the SAML assertions emitted for the application are encrypted.

  3. Enforce the response signature: see below.

If you use encryption, enforce response signature

  1. In Microsoft Entra ID, go to Identity > Applications > Enterprise applications > All applications and select the application for SonarQube Server.

  2. On the application’s page, select Single sign-on.

  3. In SAML Certificates > Token signing certificates, select Edit. The SAML Signing Certificate dialog opens.

  4. In Signing option, enforce the response signature. It means, select either the Sign SAML Response or Sign SAML response and assertion option.

  5. Save.

In Signing Option, don't select Sign SAML assertion
To enable the signing verification

  1. In Microsoft Entra ID, go to Identity > Applications > Enterprise applications > All applications and select the application for SonarQube Server.

  2. On the application’s page, select Single sign-on.

  3. In SAML Certificates > Verification certificates, select Edit.

  4. Go to Identity > Applications > Enterprise applications > All applications and select the application for SonarQube Server.

  5. Select Require verification certificates.

  6. Upload the public key certificate.

  7. Save. The Verification certificates section shows 1 active certificate.

Check the active certificate

Step 3: Configure the security feature(s) in SonarQube Server

To configure the resquest signing and/or the assertion decryption in SonarQube Server:

  1. Go to Administration > Configuration > General Settings > Authentication > SAML.

  2. In SAML Configuration > SAML, select Edit. The Edit SAML configuration dialog opens.

  3. Copy the PKCS8 private key file contents.

  4. Paste it in Service provider private key.

  5. Copy the self-signed certificate contents.

  6. Paste it in Service provider certificate.

  7. To enable the signing of the SAML requests, select in addition the Sign requests option.

  8. Select Save configuration.

  9. Select Test Configuration.

Related pages

PreviousSetup in SonarQube ServerNextWith Keycloak

Last updated

Was this helpful?