SAML Single Sign On (SSO) into SonarQube using Keyclock

SonarQube SAML plugin gives the ability to enable SAML Single Sign On for the SonarQube. Here we will go through a guide to configure SSO between SonarQube and KeyClock. By the end of this guide, KeyClock users should be able to log in and register to the SonarQube Server.

Prerequisites :
You'll require SP metadata for IDP configuration.
You can find it under Administration >>Configuration >>miniOrange SAML Support >> SP Metadata tab.
The SP metadata can be used manually or using 2 Different Format options Text or File.

sonarqube-saml-single-sign-on-sso-plugin-sp-metadata-different-format

Step 1: Setup Jboss Keycloak as Identity Provider

Follow the steps below to configure Jboss Keycloak as an Identity Provider.You can use 2 ways to configure the JBoss Keycloak as IDP.

By uploading SP metadata
By Manual Configuration

Single Sign On (SSO) using Keycloak Identity Provider,Keycloak SSO Login

Method 1: Upload SP Metadata

In your Keycloak admin console, select the realm that you want to use.
Click on the Clients from the left nav bar.
Create a new client/application.
Click Import File button.

Single Sign On (SSO) using Keycloak Identity Provider,Keycloak SSO Login, Add Client

Upload plugin metadata. (To obtain it, go to the Service Provider Info tab of the plugin, and click on Download Metadata button.
Now, click on Select file from the Add Client tab of keycloak and browse the downloaded metadata file.)
Click on Save.
Procced to set Mappers .

Single Sign On (SSO) using Keycloak Identity Provider,Keycloak SSO Login Method 2: Manual Configuration

In your Keycloak admin console, select the realm that you want to use.
Click on the Clients from the left nav bar.
Create a new client/application.

Configure the following:

Client ID	The SP-EntityID / Issuer from the step 1 of the plugin under Configure IDP tab.
Name	Provide a name for this client
Description	Provide a description
Enabled	ON
Consent Required	OFF
Client Protocol	SAML
Include AuthnStatement	ON
Sign Documents	ON
Optimize Redirect signing key lookup	OFF
Sign Assertions	ON
Signature Algorithm	RSA_SHA256
Encrypt Assertion	OFF
Client Signature Required	OFF
Canonicalization Method	EXCLUSIVE
Force Name ID Format	ON
Name ID Format	Email
Root URL	Leave empty or Base URL of Service Provider
Valid Redirect URIs	The ACS (Assertion Consumer Service) URL from the step 1 of the plugin under configure IDP tab.

Under Fine Grain SAML Endpoint Configuration, configure the following:

Assertion Consumer Service POST Binding URL	The ACS (Assertion Consumer Service) URL from the step 1 of the plugin under Configure IDP tab.
Logout Service Redirect Binding URL	The Single Logout URL from the step 1 of the plugin under Configure IDP tab.

Click on Save.

Single Sign On (SSO) using Keycloak Identity Provider,Keycloak SSO Login, Configure Client

Add Mappers

Add the following attributes in the Mappers tab.
Click on Add Builtin and add the following option.

Single Sign On (SSO) using Keycloak Identity Provider,Keycloak SSO Login Download IDP Metadata

Go to Realm Settings, click on SAML 2.0 Identity Provider Metadata endpoint link provided under Genaral tab.
Download it and keep it handy. It will be used to configure the plugin.

Step 2: Configure SonarQube as Service Provider.

miniorange img Fetch the Identity Provider (IdP) Details

After configuring the IdP, get its metadata to configure SonarQube as a Service Provider(SP).
Copy the following details from the IdP metadata and paste them into the corresponding text fields in the SonarQube plugin.

Save all the details.

sonarqube saml single sign on (sso) plugin - idp_details

miniorange img Test Configuration

Once you have filled all the IdP details, go to Administration >>Configuration >>miniOrange SAML Support and then click on the Test Configuration tab.
It will show you the IdP login page. Enter your IdP credentials and log in.
If all the configurations are correct, it will show you the user details received from the IdP.
If the test fails, check if you have missed out any steps or try to debug through SonarQube Logs.

sonarqube saml single sign on (sso) plugin - test_configuration

miniorange img Attribute & Group Mapping

In order to map attributes from the Identity Provider to the application, the attribute names received in the SAML response need to be entered in their corresponding fields.
To view these attribute names, click on the Test Configuration tab in the plugin support page.
Attributes used in SonarQube Application are described briefly as below:

Login Attribute is a unique name assigned to the user to identify them uniquely within the SonarQube system. It's a required attribute.

Name Attribute is the full name of the user, to be mapped from the IdP to the SonarQube. It's a required attribute.

Email Attribute is an optional attribute and represents an email address of the user, to be mapped from the IdP to the SonarQube.

Group Attribute mapping requires the group names, in the application, to be same as the group names in the Identity Provider. Otherwise, the default SonarQube Group is assigned to the user.

Eg. To map group value Everyone from SAML response we have to paste groupName in Group Attribute field [Refer with above image].

sonarqube saml single sign on (sso) plugin - attribute_mapping

SAML Single Sign On (SSO) into SonarQube using KeyClock

Step 1: Setup Jboss Keycloak as Identity Provider

Step 2: Configure SonarQube as Service Provider.

Contents

STAY CONNECTED

Product

Solutions

Why miniorange

Company