10.3 | Instance administration | Authentication and provisioning | SAML | How to setup Azure AD

Was this page helpful?

On this page

Start Free

How to set up Azure AD

The following content may be useful if you're using Azure AD as a SAML identity provider.

To integrate Azure AD (identity provider) with SonarQube (service provider), both sides need to be configured.

For SonarQube, navigate to Administration > Authentication > SAML  and click Create. This will open a pop-up window with all the fields that you'll need during the procedure. For Azure AD, login to Azure and navigate to Azure AD.

Set up the SonarQube application in Azure AD

Step 1: In Azure AD, navigate to Enterprise applications and add a New Application.

The Azure navigation path to create a new application for your SonarQube SAML authentication.

Step 2: Create your own application and fill in the name.

Create a new Enterprise application for SonarQube when setting up SAML authentication in Azure.

Step 1: Navigate to Single sign-on and select SAML.

Navigate to Single sign-on in Azure and select SAML to begin the authentication process.

Step 2: Edit the Basic SAML Configuration and fill in the Identifier and the Reply URL fields. The Identifier has to be the same as the Application ID in SonarQube. The Reply URL must have the format <Your SonarQube URL>/oauth2/callback/saml. The Reply URL uses the Server base URL provided in SonarQube under Administration > General.

When setting up your SSO with SAML, edit the Basic SAML Configuration and fill in the Identifier and the Reply URL.

Step 3: Make sure that the Application ID in SonarQube has the same value as the Identifier in the Identity Provider.

Confirm that the Application ID in SonarQube has the same value as the Identifier in the Identity provider.

Step 4: In the Azure AD SAML configuration, navigate to Set up and copy the Login URL and Azure AD Identifier.

In the Azure AD SAML configuration, navigate to Set up and copy the Login URL and Azure AD Identifier.

Step 5: Paste the Login URL into the SAML login url and the Azure AD Identifier into the Provider ID field in the SonarQube SAML configuration.

Paste the Azure AD Identifier into the Provider ID field and the Login URL into the SAML login url into your SonarQube SAML configuration.

Attributes and claims

Step 1: In the Azure AD SAML configuration, edit Attributes & Claims to view, edit or add attributes.

Edit Attributes & Claims to view, edit or add attributes when configuring SAML authentication in Azure.

  SonarQube uses the following attributes:

    • Login (required) A unique name to identify the user in SonarQube. The default Azure AD attribute emailaddress is used in the example. You can also use the objectID attribute.
    • Name (required) The full name of the user. The default Azure AD attribute givenname is used in the example.
    • Email (optional) The email of the user.
    • Group (optional) Supports mapping to group names in SonarQube. Group name passed by Azure AD and the group name in SonarQube should match. Otherwise, the default sonar-users group is assigned.

Step 2: Corresponding configuration in SonarQube. The namespace + name of the attribute should be used, as defined in Azure AD.

The corresponding configuration in SonarQube uses the Azure namespace + name of the attribute to be used.

Certificates and signatures

Step 1: Navigate to SAML Certificates and download Certificate (Base64).

Navigate to SAML Certificates and download Certificate (Base64).

Step 2: The certificate should be copied into the Identity provider certificate field in the SonarQube SAML configuration.

Step 3 (Optional): Encryption for SonarQube requests can be activated by generating an asymmetric key pair. (For more information, see SAML token encryption in Azure) Add the private key in SonarQube.

Copied the Service provider private key field value to add to your SonarQube SAML configuration.

Import the public key certificate (.cer) file in Azure AD and activate token encryption.

Import the public key certificate (.cer) file in Azure AD and activate token encryption for your SonarQube SAML authentication.

Step 4 (Optional): Azure AD supports signed SAML requests from the Service Provider (under Preview). Edit the Verification certificates, upload a certificate, and enable the Require verification certificates option.

To edit the Verification certificates, upload a certificate and enable the Require verification certificates option.

In SonarQube, fill in the corresponding private key and the same certificate and enable the Sign requests option.

In SonarQube, fill in the corresponding private key and the same certificate and enable the Sign requests option.

Users and groups

In the Azure AD SonarQube application, navigate to Users and groups and assign users or groups to the application.

Add SonarQube users and groups when setting up your SAML authentication in Azure.

Enabling and testing SAML authentication

Step 1: Save the SAML configuration by clicking Save configuration.

Step 2: Before enabling SAML authentication on SonarQube, you can verify that the configuration is correct by clicking Test Configuration. This will initiate a SAML login and return useful information about the SAML response obtained from the identity provider.

Step 3: Click Enable configuration.

Step 4: In the login form, the new Log in with Azure button (or a custom name specified in the Provider Name field) allows users to connect with their SAML account.

Group synchronization

Group synchronization between Azure AD and SonarQube can be achieved either by using the Azure AD roles or the Azure AD groups. For either case, the corresponding group name should exist in SonarQube under the Provisioning section of the SAML configuration. Group synchronization only works with the Just-in-Time user and group provisioning (default) option.

  • For synchronization with the Azure AD groups, a group claim must be added with sAMAccountName as a source attribute.
Where to map your SAML groups in Azure before you can add a group claim.
Where to enter the key in SonarQube
  • For mapping with the Azure AD app roles, an application role should be assigned to the user. Azure AD sends the role claim automatically with http://schemas.microsoft.com/ws/2008/06/identity/claims/role as a key. Enter it as SAML group attribute in SonarQube.

Enabling SCIM provisioning

Starting in Enterprise Edition, once you’ve set up Azure AD as your SAML identity provider, you can set up SCIM provisioning to automate user and group provisioning within Azure AD.

For more information, see SCIM provisioning with Azure AD.

Troubleshooting

Group limit for SAML tokens

Azure SAML tokens have a limit regarding the number of groups a user can belong to (see the description of groups in the Claims in SAML Token table). In such cases, you might need to reduce the number of groups the user is in.

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License