Setup in Microsoft Entra ID
This page explains how to register SonarQube Server in Microsoft Entra ID. This is the first step of SAML authentication setup with Microsoft Entra ID.
This page explains how to register SonarQube Server in Microsoft Entra ID. This is the first step of SAML authentication setup with Microsoft Entra ID. For an overview of the complete setup, see Introduction to SAML with Microsoft Entra ID.
Step 1: Create the SAML application for SonarQube Server in MS Entra ID
In Microsoft Entra ID, go to Manage > Enterprise applications > All applications.
Select New application and then Create your own application.
Make sure you choose "Create your own application". Do not select the non-affiliated "Sonarqube" Microsoft Entra Gallery app, which contains configurations that may prevent proper integration.
Fill in the name and select the Integrate any other application you don’t find in the gallery option.
Select Create.
Step 2: Configure the application for SonarQube Server in MS Entra ID
Go to Single sign-on > SAML. The Set up Single Sign-On with SAML page opens
In the Basic SAML Configuration section of the page, select Edit, fill in the Identifier and the Reply URL fields as described below, and save.
Basic configuration fields
Identifier
Identifier of the SonarQube Server application in Entra ID.
Reply URL
Must be in the format:
<sqServerBaseUrl>/oauth2/callback/saml
Example: https://my-sonarqube.com/oauth2/callback/saml
Note: Make sure Server base URL is correctly set in SonarQube Server.
In the Attributes & Claims section of the page, configure the attributes used by SonarQube Server as described below. To add an attribute, select Add new claim.
Attributes & claims
The table below shows possible mappings you can use for the SAML attributes used by SonarQube Server.
Login
A unique name to identify the user in SonarQube.
Examples: user.userprincipalname
x
Name
The full name of the user.
Example: user.displayname
x
The email of the user.
Example: user.mail
The NameID attribute is not used in SonarQube Server.
If you use Just-in-Time provisioning with the group synchronization feature:
Verify the user groups in SonarQube Server (see see Group synchronization in Just-in-Time provisioning)
Add a group attribute by selecting Add a group claim and do one of the following:
To enable the synchronization of Active Directory (AD) groups, set Source attribute to sAMAccountname.
To enable the synchronization of cloud-only groups, set Source attribute to Cloud-only group display names.
To enable the synchronization of both AD groups and cloud-only groups, set Source attribute to sAMAccountname and select the Emit group name for cloud-only groups checkbox.
Once done, the option to add a group will be unavailable and the group attribute will be listed with the other attributes in the Add new claim tab.
Group synchronization doesn’t work with Microsoft Entra ID’s nested groups.
Microsoft Entra ID SAML tokens have a limit regarding the number of groups a user can belong to (see the description of groups in the Claims in SAML Token table). In such cases, you might need to reduce the number of groups the user is in.
Alternatively to step 4 above, you may use SCIM user and group provisioning, see SCIM with Microsoft Entra ID.
In the SAML Certificates section of the page, download Certificate (Base64). (You will have to copy-paste the downloaded certificate into SonarQube Server during the setup of SonarQube Server).
7. Assign users and groups as follows:
Go to Manage > Users and groups.
Select Add user/group to assign users or groups to the application.
Related pages
Last updated
Was this helpful?