This version of the SonarQube documentation is no longer maintained. It relates to a version of SonarQube that is not active.

Setup of security features

To improve security, you can set up the encryption of SAML assertions sent by Microsoft Entra ID and the signing of SAML requests sent by SonarQube.

Once you have Setup in Microsoft Entra ID, you can set up the following security features:

  • The encryption of SAML assertions emitted by Microsoft Entra ID for SonarQube.

  • The signing of the SAML requests from SonarQube to Entra ID.

Setting up the encryption of SAML assertions

You can set up the encryption of the SAML assertions Microsoft Entra ID emits for SonarQube. For more information, see SAML token encryption in Entra ID.

The same key pair is used for both security features (encryption and signing).

Proceed as follows:

  1. If not already done, generate the asymmetric key pair to use for encryption (PKSC8). The public key should be stored in an X.509 certificate file in .cer format. You can copy the contents of the certificate file to a text editor and save it as a .cer file. The certificate file should contain only the public key, not the private key.

  2. Add the private key in SonarQube:

    • Go to Administration > Configuration > General Settings > Authentication > SAML.

    • In SAML Configuration > SAML, select Edit. The Edit SAML configuration dialog opens.

    • Copy the private key value to Service provider private key.

  3. Add the certificate to the SonarQube application in Microsoft Entra ID:

    • Go to Identity > Applications > Enterprise applications > All applications and select the SonarQube application.

    • On the application’s page, select Token encryption.

    • On the Token encryption page, select Import Certificate to import the .cer file that contains your public X.509 certificate.

    • Once the certificate is imported, activate encryption by selecting the three dots next to the thumbprint status and then selecting Activate token encryption.

    • Select Yes to confirm activation of the token encryption certificate.

    • Confirm that the SAML assertions emitted for the application are encrypted.

Setting up the signing of SAML requests

You can set up the signing and verification of the SAML requests sent by SonarQube to Entra ID. For more information, see Enforce signed SAML authentication requests.

The same key pair is used for both security features (encryption and signing).

Proceed as follows:

  1. If not already done, generate the asymmetric key pair to use for signing (PKSC8). The public key should be stored in an X.509 certificate file in .cer format. You can copy the contents of the certificate file to a text editor and save it as a .cer file. The certificate file should contain only the public key, not the private key.

  2. Set up the signing in SonarQube:

    • Go to Administration > Configuration > General Settings > Authentication > SAML.

    • In SAML Configuration > SAML, select Edit. The Edit SAML configuration dialog opens.

    • Enable the Sign requests option.

    • In Service provider private key, enter the private key value.

    • In Service provider certificate, enter the certificate.

  3. Set up the signature verification in Microsoft Entra ID:

    • Go to Identity > Applications > Enterprise applications > All applications and select the SonarQube application.

    • On the application’s page, select Single sign-on.

    • In SAML Certificates > Verification certificates, select Edit.

    • Select Require verification certificates.

    • Upload the public key certificate.

    • Save. The Verification certificates section shows 1 active certificate.

Last updated

Was this helpful?