Latest | Instance administration | Authentication and provisioning | SAML | With Microsoft Entra ID | Setup of security features
Setting up optional security features for SAML with Microsoft Entra ID
Once you have registered SonarQube Server in Microsoft Entra, you can set up the following security features:
- The encryption of SAML assertions emitted by Microsoft Entra ID for SonarQube Server.
- The signing of the SAML requests from SonarQube Server to Entra ID.
Setting up the encryption of SAML assertions
You can set up the encryption of the SAML assertions Microsoft Entra ID emits for SonarQube Server. For more information, see SAML token encryption in Entra ID.
The same key pair is used for both security features (encryption and signing).
Proceed as follows:
- If not already done, generate the asymmetric key pair to use for encryption (PKCS8). The public key should be stored in an X.509 certificate file in .cer format. You can copy the contents of the certificate file to a text editor and save it as a
.cer
file. The certificate file should contain only the public key, not the private key. - Add the private key in SonarQube Server:
- Go to Administration > Configuration > General Settings > Authentication > SAML.
- In SAML Configuration > SAML, select Edit. The Edit SAML configuration dialog opens.
- Copy the private key value to Service provider private key.
- Add the certificate to the Microsoft Entra ID application you created for SonarQube Server:
- Go to Identity > Applications > Enterprise applications > All applications and select the application for SonarQube Server.
- On the application's page, select Token encryption.
- On the Token encryption page, select Import Certificate to import the
.cer
file that contains your public X.509 certificate. - Once the certificate is imported, activate encryption by selecting the three dots next to the thumbprint status and then selecting Activate token encryption.
- Select Yes to confirm activation of the token encryption certificate.
- Confirm that the SAML assertions emitted for the application are encrypted.
Setting up the signing of SAML requests
You can set up the signing and verification of the SAML requests sent by SonarQube Server to Entra ID. For more information, see Enforce signed SAML authentication requests.
The same key pair is used for both security features (encryption and signing).
Proceed as follows:
- If not already done, generate the asymmetric key pair to use for signing (PKCS8). The public key should be stored in an X.509 certificate file in .cer format. You can copy the contents of the certificate file to a text editor and save it as a
.cer
file. The certificate file should contain only the public key, not the private key. - Set up the signing in SonarQube Server:
- Go to Administration > Configuration > General Settings > Authentication > SAML.
- In SAML Configuration > SAML, select Edit. The Edit SAML configuration dialog opens.
- Enable the Sign requests option.
- In Service provider private key, enter the private key value.
- In Service provider certificate, enter the certificate.
- Set up the signature verification in Microsoft Entra ID:
- Go to Identity > Applications > Enterprise applications > All applications and select the application for SonarQube Server.
- On the application's page, select Single sign-on.
- In SAML Certificates > Verification certificates, select Edit.
- Select Require verification certificates.
- Upload the public key certificate.
- Save. The Verification certificates section shows 1 active certificate.
Related pages
Was this page helpful?