Start Free
10.7 | Instance administration | Authentication and provisioning | SAML | With Okta

Setting up SAML with Keycloak

On this page

The following example may be useful if you are using Okta as a SAML identity provider. Note that Okta does not support service provider-signed requests even if they are enabled on the SonarQube side.

To integrate Okta (identity provider) with SonarQube (service provider), both sides need to be configured.

Create a new application in the Okta admin dashboard

Step 1: Under Applications, select Create App Integration.

Create your first app integration in Okta for SonarQube.

Step 2: Choose SAML 2.0 in the Sign-in Method dialog.

Step 3: Under General Settings, fill in the App name with SonarQube (or another name that you prefer), and select Do not display application icon to users.

Enter in App name with SonarQube, and select Do not display application icon to users.

Configure SAML settings

Step 1: Under General Settings, configure the following fields:

    • Single sign on URL<Your SonarQube URL>/oauth2/callback/saml (e.g., https://sonarqube.mycompany.com/oauth2/callback/saml).
    • Audience URI (SP Entity ID): Something like sonarqube (SonarQube default value). It must not contain whitespace.
Configure SonarQube's SAML single sign on (SSO) setting in Okta.

Step 2: An assertion signature is mandatory. You must keep the following default settings in Show Advanced Settings:

    • Response: Choose Signed.
    • Assertion Signature: Choose Signed.
    • Signature Algorithm: Choose RSA-SHA256.

Step 3: (Optional) If you want to enable assertion encryption, expand Show Advanced Settings and configure the following fields:

    • Assertion Encryption: Choose Encrypted.
    • Encryption Algorithm: Choose AES256-GCM for high security.
    • Key Transport Algorithm: Choose RSA-OAEP.
    • Encryption Certificate: Add the service provider certificate. It should be the same certificate as the one found in the SonarQube SAML settings under Service provider certificate.
Show Advanced Settings and configure the fields to enable assertion encryption.

Step 4: Under Attribute Statements, add the following attribute mappings:

    • Create a mapping for the name:
      1. Namename.
      2. Name formatUnspecified.
      3. Value: Choose user.firstName.
    • Create a mapping for the login:
      1. Namelogin.
      2. Name formatUnspecified.
      3. Value: Choose user.login.
    • (Optional) Create a mapping for the email:
      1. Nameemail.
      2. Name formatUnspecified.
      3. Value: Choose user.email.
Where to define optional SonarQube user email attributes in Okta.
    • (Optional) Under Group Attribute Statements (See details in Group synchronization):
      1. Namegroups.
      2. Name formatUnspecified.
      3. Filter: Choose Matches regex and set the value to .*.
Where to define your optional SonarQube group attributes in Okta.

Step 5: Select Finish in the Feedback dialog to confirm the creation of the application.

Step 6: You can now add users and groups in the Assignments tab of the application.

Where you assign SonarQube users in Okta.

Step 7: Navigate to the Sign On tab of the SonarQube application in Okta.

Navigate to the Sign On tab of the SonarQube application in Okta.

Step 8: Next to the SAML Signing Certificates subsection, you will find the configurations needed for setting up SonarQube, under View SAML setup instructions.

Where you can find SAML setup instructions in Okta.

In SonarQube, Configure SAML authentication

Navigate to Administration > Authentication > SAML and click Create configuration, it will open a popup window with all fields that you'll need to provide.

Go to Administration > Configuration > General Settings > Authentication > SAML

  • Application ID: The value of the Audience URI (SP Entity ID) you set in Okta (for example, sonarqube).
  • Provider ID: The value of Identity Provider Issuer provided in View SAML setup instructions from Okta.
  • SAML login URL: The value of Identity Provider Single Sign-On URL provided in View SAML setup instructions from Okta.
  • Identity provider certificate: The value of X.509 Certificate provided in View SAML setup instructions from Okta.
  • SAML user login attributelogin (or whatever you configured above when doing the mapping).
  • SAML user name attributename (or whatever you configured above when doing the mapping).
  • (Optional) SAML user email attributeemail (or whatever you configured above when doing the mapping).
  • Sign requests: Not supported for Okta.
  • (Optional) Service provider private key: The private key is required for assertion encryption support. It must be provided for SonarQube in PKCS8 format without encryption. You can find instructions for converting to different key formats here.
  • (Optional) Service provider certificate: The certificate is required for assertion encryption support. It must be shared with Okta in order to activate the assertion encryption.

The service provider private key and certificate can be either a new self-signed pair or any existing pair available in your infrastructure.

Enabling and testing SAML authentication

Step 1: Save the SAML configuration by clicking Save configuration

Step 2: Before enabling the SAML authentication on SonarQube, you can verify that the configuration is correct by clicking on Test Configuration. A SAML login will be initiated and useful information about the SAML response obtained from the Identity provider will be returned.

Step 3: enable the configuration by clicking Enable configuration.

Step 4: In the login form, the new button Log in with Okta (or a custom name specified in the Provider Name field) allows users to connect with their SAML account.

Log in with Okta button that appears in the user login form

Group synchronization

While configuring the SAML settings in Okta, you configured a groups attribute. You can now use it in SonarQube to enable group synchronization. To do this, under SAML > Provisioning,  enter groups, or whatever name you gave to this attribute, in the SAML group attribute field. If you leave this field empty, group memberships are managed locally by SonarQube administrators.

Window displaying the user and group provisioning options and the SAML group attribute field

Enabling SCIM provisioning

Starting in Enterprise Edition, once you’ve set up Okta as your SAML Identity Provider, you can set up SCIM provisioning to automate user and group provisioning within Okta.

For more information, see SCIM provisioning in Okta.


Was this page helpful?

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License