Start Free
Latest | Instance administration | Authentication and provisioning | SAML | With Microsoft Entra ID | Setup of security features

Setting up optional security features for SAML with Microsoft Entra ID

On this page

Once you have registered SonarQube Server in Microsoft Entra, you can set up the following security features:

  • The encryption of SAML assertions emitted by Microsoft Entra ID for SonarQube Server.
  • The signing of the SAML requests from SonarQube Server to Entra ID.

Setting up the encryption of SAML assertions

You can set up the encryption of the SAML assertions Microsoft Entra ID emits for SonarQube Server. For more information, see SAML token encryption in Entra ID.

Proceed as follows:

  1. If not already done, generate the asymmetric key pair to use for encryption (PKCS8). The public key should be stored in an X.509 certificate file in .cer format. You can copy the contents of the certificate file to a text editor and save it as a .cer file. The certificate file should contain only the public key, not the private key.
  2. Add the private key in SonarQube Server:
    • Go to Administration > Configuration > General Settings > Authentication > SAML.
    • In SAML Configuration > SAML, select Edit. The Edit SAML configuration dialog opens.
    • Copy the private key value to Service provider private key.
  3. Add the certificate to the Microsoft Entra ID application you created for SonarQube Server:
    • Go to Identity > Applications > Enterprise applications > All applications and select the application for SonarQube Server.
    • On the application's page, select Token encryption
    • On the Token encryption page, select Import Certificate to import the .cer file that contains your public X.509 certificate.
    • Once the certificate is imported, activate encryption by selecting the three dots next to the thumbprint status and then selecting Activate token encryption.
    • Select Yes to confirm activation of the token encryption certificate.
    • Confirm that the SAML assertions emitted for the application are encrypted.

Setting up the signing of SAML requests

You can set up the signing and verification of the SAML requests sent by SonarQube Server to Entra ID. For more information, see Enforce signed SAML authentication requests

Proceed as follows:

  1. If not already done, generate the asymmetric key pair to use for signing (PKCS8). The public key should be stored in an X.509 certificate file in .cer format. You can copy the contents of the certificate file to a text editor and save it as a .cer file. The certificate file should contain only the public key, not the private key.
  2. Set up the signing in SonarQube Server:
    • Go to Administration > Configuration > General Settings > Authentication > SAML.
    • In SAML Configuration > SAML, select Edit. The Edit SAML configuration dialog opens.
    • Enable the Sign requests option.
    • In Service provider private key, enter the private key value.
    • In Service provider certificate, enter the certificate.
  3. Set up the signature verification in Microsoft Entra ID:
    • Go to Identity > Applications > Enterprise applications > All applications and select the application for SonarQube Server.
    • On the application's page, select Single sign-on
    • In SAML Certificates > Verification certificates, select Edit.
    • Select Require verification certificates.
    • Upload the public key certificate.
    • Save. The Verification certificates section shows 1 active certificate.

Was this page helpful?

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License