SonarQube and SAML authentication with OneLogin

SonarQube Guides
,
1

Hello!

OneLogin is being used as an identity provider by some SonarQube users.

I wrote this guide so that everybody can have guidance on how to achieve it.

:warning: This guide is set for my own setup, you may need to adjust it to fit your setup/needs.

1. Create an application in OneLogin

image
image2812×712 109 KB

image
image1994×804 68.6 KB

I have chosen SAML Test Connector but you can pick another one if you want.

:information_source: As of December 2022, the new name for this connector is SAML Custom Connector

2. Configure general and SAML settings in your Application

image
image1872×1426 186 KB

The SAML Recipient URL must be set as the sonar.core.serverBaseURL with oauth2/callback/saml added.

*3. Check the response parameters

image
image2292×1292 155 KB

The givenName, mail and surname must be set so SonarQube can extract them from the response.

4. Get the Single Sing On information of your application

image
image1964×1248 172 KB

You need to copy the Issuer URL as well as the SAML 2.0 Endpoint and go to View details at the certificate level then copy the certificate. (it should starts with -----BEGIN CERTIFICATE-----)

5. Configure SonarQube
Go to Administration > General then set up the sonar.core.serverBaseURL.

image
image1956×886 74.5 KB

6. Setup SAML in SonarQube
Go to Administration > Security > SAML and enable SAML.

image
image1990×1250 166 KB

Make sure to set the Application ID with the same value as you have set in OneLogin (step 2)
Then set the Provider ID (issuer URL), SAML Login URL and Provider Certificate with the values copied in step 4.
image
image2168×1282 210 KB

Finally set the attribute that SonarQube has to find in the response.
image
image1752×1018 67.5 KB

They must be set as follows,

SAML user login attribute = urn:oid:2.5.4.42
SAML user name attribute = urn:oid:2.5.4.4
SAML user email attribute = urn:oid:1.3.6.1.4.1.5923.1.1.1.6

If you want to use groups, you can add a value to the SAML group attribute to pass group information.

7. Login with SAML

image
image730×570 15.1 KB

If you receive an error while authenticating with SAML, troubleshooting information should be available in the $SONARQUBE_HOME/logs/web.log file of your instance. The debug logs can bring more information if nothing obvious pops in the INFO logs.

If you run into any trouble or have feedback on this guide, don’t hesitate to create a new post in the Community.

3 Likes