Configuring Sonar's Auth0 integration with your SAML Identity Provider is a multistep process, requiring information to be provided across your Sonar instance and your SAML IDP.
Configuring SAML will need two consistent pieces of information from Sonar:
This will vary for each instance, and will need to be obtained during provider configuration. The basic format will always follow: urn:auth0:sonarsoftware-prod:{yourConnectionName}
The Connection Name is generated by Sonar after a SAML provider is added. You can grab it by clicking on the Authentication Provider, selecting View Details from the dropdown, then navigating to the Identity Providers tab of the side panel.
To get started, you'll need to start the SAML Identity Provider integration in Sonar.
Navigate to “Settings”
Expand “Security”
Select “Identity Providers”
Select “Create Identity Provider”
Choose “Create SAML Identity Provider” from the menu dropdown
This will open the “Create SAML Identity Provider”, which needs information from your IDP to complete on the Sonar side, and will then provide you information to complete on the IDP side.
Setting up a SAML Provider with Google Admin
Setting up a SAML Identity Provider through Google Admin is fairly linear.
From the dashboard, select the “Apps” tile:
Next, select the “Web and Mobile Apps” tile:
Select "Add App" at the top of the table, followed by "Add custom SAML app" in the dropdown that appears:
The creation takes place in a 4-step process. The first step is defining identifying information for your Google Admin Dashboard. This requests a name, and optionally, a description for the SAML app. In this example, the app is named “Sonar Auth0”, and no description is added.
The second step is where the app integration provides you with access and certificate information.
This information corresponds to:
The SSO URL in Google corresponds to the Sign-in URL in Sonar
The Entity ID is the same as the SSO URL, and isn't required as a unique entry
The Certificate needs to be copied in its entirety and pasted as the Signing Certificate in Sonar
The SHA-256 Fingerprint isn't brought over to Sonar. Rather, the relevant information is that the Signature Algorithm and Digest Algorithm are both SHA-256 in Sonar
Finally, in Sonar, the Protocol Binding will depend on the provider. For Google, it can be either HTTP-POST or HTTP-REDIRECT
A completed SAML Identity Provider might look like this in Sonar:Once all the information is entered, click “Create”
Once the IDP is created, you'll need the Connection Name before proceeding to the next step in Google.
Click on the provider in Sonar
Select “View Details”
Switch to the “Identity Provider” tab
Keep this open to easily copy your connection name
On the next page of your Google Admin SAML App creation, you'll need to fill in the ACS URL and Entity ID. This uses information from your Sonar instance, highlighted previously. These fields require information in the following format:
The ACS URL format is https://sonarsoftware-prod.eu.auth0.com/login/callbackconnection?={yourConnectionName}
The Entity ID format is urn:auth0:sonarsoftware-prod:{yourConnectionName}
On the final screen of the setup, you can SAML attributes and Group membership based on your users. Although this information isn't captured by Sonar, setting up Groups can be helpful for ensuring access is only given to those that require it.
As an additional guide, you can refer to Google's documentation, available here!
Setting up a SAML Provider with Microsoft Entra
Setting up a custom SAML application to complete the integration with Microsoft is a less guided and less straightforward experience. For this reason, it is highly recommended to follow this guide while creating the integration; otherwise you run the risk of having an incomplete Auth0 setup which will not work.
While Microsoft does have various systems that handle security, this guide will focus on the configuration of a security app with Microsoft Entra. For other systems, or other use cases, please refer to Microsoft's documentation.
In the Microsoft Entra dashboard, select "Create your own application", then in the sidebar that opens provide a name for your app (i.e., Sonar Auth0), and finally, select the Integrate any other application you don't find in the gallery (Non-gallery) radio button, before clicking create.
In the application page you're automatically sent to after creation, select Set up single sign on
On the next page, select the SAML tile
You'll be presented with the full setup steps immediately on the next page, which requires tackling in several stages. Unlike the presentation on the dashboard, the Auth0 configuration needs to be done in the order highlighted below.
First, you need to provide the Sign-in and Sign-out URLs
Next, you have to extract the Signing Certificate. This is done by first clicking on the Edit icon, then downloading the certificate through the side menu:
After getting all this information, add it to your Sonar instance through the creation of a new SAML Identity Provider
Some unseen variables are also required, including:
Gather your connection name and supply it to Microsoft Entra as the Basic SAML Configuration by clicking on the Edit button and adding the appropriate values
The Identifier (Entity ID) format is urn:auth0:sonarsoftware-prod:{yourConnectionName}
The Reply URL (Assertion Consumer Service URL) is https://sonarsoftware-prod.eu.auth0.com/login/callback?connection={yourConnectionName}
Once all the information is filled out, all you need to do is save your changes, and add Groups and Users to the created application.
Return to the dashboard by selecting Overview, then select the Assign users and groups tile
Click on Add User/Group at the top of the table
Once in Add User and Groups, click on None selected to open the sidebar, select your users or groups by checking the box, click Select, and finally Assign
As an additional guide, you can refer to Microsoft's documentation, available here!
Updated
by Mitchell Paul-Soumis
