SAML Single Sign On (SSO) into SonarQube using KeyClock

Step 1: Setup Jboss Keycloak as Identity Provider

Follow the steps below to configure Jboss Keycloak as an Identity Provider.You can use 2 ways to configure the JBoss Keycloak as IDP.

• By uploading SP metadata
• By Manual Configuration
 Method 1: Upload SP Metadata
• In your Keycloak admin console, select the realm that you want to use.
• Click on the Clients from the left nav bar.
• Create a new client/application.
• Click Import File button.

• Upload plugin metadata. (To obtain it, go to the Service Provider Info tab of the plugin, and click on Download Metadata button or You can copy the SP Entity ID and ACS URL from the plugin.
  Now, click on Select file from the Add Client tab of keycloak and browse the downloaded metadata file.)
• Click on Save.
• Procced to set Mappers .

 Method 2: Manual Configuration

• In your Keycloak admin console, select the realm that you want to use.
• Click on the Clients from the left nav bar.
• Create a new client/application.
• Configure the following:

  Client ID	The SP-EntityID / Issuer from the step 1 of the plugin under Configure IDP tab.
  Name	Provide a name for this client
  Description	Provide a description
  Enabled	ON
  Consent Required	OFF
  Client Protocol	SAML
  Include AuthnStatement	ON
  Sign Documents	ON
  Optimize Redirect signing key lookup	OFF
  Sign Assertions	ON
  Signature Algorithm	RSA_SHA256
  Encrypt Assertion	OFF
  Client Signature Required	OFF
  Canonicalization Method	EXCLUSIVE
  Force Name ID Format	ON
  Name ID Format	Email
  Root URL	Leave empty or Base URL of Service Provider
  Valid Redirect URIs	The ACS (Assertion Consumer Service) URL from the step 1 of the plugin under configure IDP tab.

• Under Fine Grain SAML Endpoint Configuration, configure the following:



Assertion Consumer Service POST Binding URL	The ACS (Assertion Consumer Service) URL from the step 1 of the plugin under Configure IDP tab.
Logout Service Redirect Binding URL	The Single Logout URL from the step 1 of the plugin under Configure IDP tab.

• Click on Save.


 Add Mappers

• Add the following attributes in the Mappers tab.
• Click on Add Builtin and add the following option.


 Download IDP Metadata

• Go to Realm Settings, click on SAML 2.0 Identity Provider Metadata endpoint link provided under Genaral tab.
• Download it and keep it handy. It will be used to configure the plugin.

Step 2: Configure SonarQube as Service Provider.

Fetch the Identity Provider (IdP) Details

• After configuring the IdP, get its metadata to configure SonarQube as a Service Provider(SP)
• Copy the following details from the IdP metadata and paste them into the corresponding text fields in the SonarQube plugin
1. IdP Entity ID
2. Login URL
3. X.509 Certificate


• Save all the details.

  Test Configuration

• Once you have filled all the IdP details, go to Administration >>Configuration >>miniOrange SAML Support and then click on the Test Configuration tab.
• It will show you the IdP login page. Enter your IdP credentials and log in.
• If all the configurations are correct, it will show you the user details received from the IdP.
• If the test fails, check if you have missed out any steps or try to debug through SonarQube Logs.

  Attribute & Group Mapping

• In order to map attributes from the Identity Provider to the application, the attribute names received in the SAML response need to be entered in their corresponding fields.
• To view these attribute names, click on the Test Configuration tab in the plugin support page.
• Attributes used in SonarQube Application are described briefly as below:

1. Login Attribute is a unique name assigned to the user to identify them uniquely within the SonarQube system. It's a required attribute.


2. Name Attribute is the full name of the user, to be mapped from the IdP to the SonarQube. It's a required attribute.


3. Email Attribute is an optional attribute and represents an email address of the user, to be mapped from the IdP to the SonarQube.


4. Group Attribute mapping requires the group names, in the application, to be same as the group names in the Identity Provider. Otherwise, the default SonarQube Group is assigned to the user.

• Eg. To map group value Everyone from SAML response we have to paste groupName in Group Attribute field [Refer with above image].

×