Skip to content

SAML Keycloak integration for Sonarqube📜

Upstream Sonarqube Docs

In the Keycloak server, create a new SAML client📜

Create a new client

  1. “Client ID” is something like “sonarqube”
  2. “Client Protocol” must be set to “saml”
  3. “Client SAML Endpoint” can be left empty

Configure the new client

  1. in Settings
  2. Set”Client Signature Required” to OFF
  3. Set “Valid Redirect URIs” to “/oauth2/callback/*, E.G
  4. in Client Scopes > Default Client Scopes , remove “role_list” from “Assigned Default Client Scopes” (to prevent the error com.onelogin.saml2.exception.ValidationError: Found an Attribute element with duplicated Name during authentication)
  5. In Mappers create a mapper for each user attribute (Note that values provided below for Name, SAML Attribute Name, Role Attribute Name are only example values):
  6. Create a mapper for the login:
  7. Name: Login
  8. Mapper Type: User Property
  9. Property: Username (Note that the login should not contain any special characters other than .-_@ to meet SonarQube restrictions.)
  10. SAML Attribute Name: login
  11. Create a mapper for the name:
  12. Name: Name
  13. Mapper Type: User Property
  14. User Attribute: Username (It can also be another attribute you would previously have specified for the users)
  15. SAML Attribute Name: name
  16. (Optional) Create a mapper for the email:
  17. Name: Email
  18. Mapper Type: User Property
  19. Property: Email
  20. SAML Attribute Name: email
  21. (Optional) Create a mapper for the groups (If you rely on a list of roles defined in “Roles” of the Realm (not in “Roles” of the client)):
  22. Name: Groups
  23. Mapper Type: Role list
  24. Role Attribute Name: groups
  25. Single Role Attribute: ON
  26. If you rely on a list of groups defined in “Groups”:
  27. Name: Groups
  28. Mapper Type: Group list
  29. Role Attribute Name: groups
  30. Single Role Attribute: ON
  31. Full Group Path: OFF

In SonarQube, Configure SAML authentication📜

Go to Administration > Configuration > General Settings > Security > SAML * Enabled should be set to true * Application ID is the value of the “Client ID” you set in Keycloak (for example “sonarqube”) * Provider ID is the value of the “EntityDescriptor” > “entityID” attribute in the XML configuration file (for example “http://keycloak:8080/auth/realms/sonarqube” where sonarqube is the name of the realm) * SAML login url is the value of “SingleSignOnService” > “Location” attribute in the XML configuration file (for example “http://keycloak:8080/auth/realms/sonarqube/protocol/saml”) * Provider certificate is the value you get from Realm Settings -> Keys -> click on the Certificate button * SAML user login attribute is the value set in the login mapper in “SAML Attribute Name” * SAML user name attribute is the value set in the name mapper in “SAML Attribute Name” * (Optional) SAML user email attribute is the value set in the email mapper in “SAML Attribute Name” * (Optional) SAML group attribute is the value set in the groups mapper in “Role/Group Attribute Name” In the login form, the new button “Log in with SAML” allows users to connect with their SAML account.

Helm Values Config example:📜

Within BigBang:

      enabled: true
      client_id: platform1_###
      client_secret: ###########
      # Label is interchangeable with "provider_name"
      # -- SonarQube SSO login button label
      #provider_name: "P1 SSO"
      label: "P1 SSO"
      # -- SonarQube plaintext SAML sso certificate.
      certificate: "M#######...="
      # Other default options from BigBang
      # -- SonarQube login sso attribute.
      login: login
      # -- SonarQube name sso attribute.
      name: name
      # -- SonarQube email sso attribute.
      email: email
      # -- (optional) SonarQube group sso attribute.
      group: group

Within Sonarqube package:

  sonar.forceAuthentication: true
# SAML SSO config
  sonar.auth.saml.enabled: true
  sonar.auth.saml.applicationId: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-saml-sonarqube
  sonar.auth.saml.providerName: P1 SSO
  sonar.auth.saml.certificate.secured: MILicoTCCAYkCBgFyLIEqUjaNbg...
  sonar.auth.saml.user.login: login name email group

OIDC Keycloak integration for Sonarqube📜

  1. Login to SonarQube with default admin credentials username: admin password: admin
  2. In Adminstration->General set Server base URL to Sonarqube URL (for ex: https:/ without a trailing /
  3. On a different tab on the browser, login to keycloak realm
  4. From Clients choose the sonarqube client and note the Client id
    • Set Root URL to empty string
    • Set Valid Redirect URI to https://<sonarqube url>/* (for ex:*)
    • Set Base URI to Sonarqube URL (for ex: without a trailing /
  5. On Clients-->Credentials regenerate the secret and note it down
  6. On Clients-->ClientScopes->Sonarqube->Mappers
    • Click Add Builtin and add “groups” scope
  7. On Users, click “Add User” and enter
    • Username -
    • email - must have id
    • First name
    • Last name
    • Email Verified - On
    • Save
  8. On Users, on the Credentials tab and set password
  9. On Users, on the Groups tab and join Impact Level2 Authorized and System Admins IL2
  10. In Administration-> Security Set OpenID Connect to enabled
  11. Issuer URI to
  12. ClientId noted from keycloak above
  13. ClientSecret regenerated from keycloak above
  14. Scopes - openid Sonarqube
  15. Logout of sonarqube and log back in with the username created above by clicking on oidc login
  16. Logout of sonarqube and log back in with the username admin and password admin
  17. Go to Administration->Security->Users and add username created above to sonar-admin group
  18. Go to Administration->Security->Users and delete admin user
  19. Logout of SonarQube and login with username and password created in keycloak

Last update: 2022-09-21 by evan.rush