AWS IAM Identity Center (successor to AWS SSO) Integration Guide for SonarQube

Introduction

This document helps you configure IAM Identity Center to facilitate single sign-on (SSO) for SonarQube using SAML.

Topics

Prerequisites

You’ll need the following to set up SSO access to SonarQube:

Setup instructions

  1. On the Configure page in the IAM Identity Center Console, in the Details section, fill in the Display name, and the Description(optional) of the application.

Note

We suggest that you choose a unique display name if you plan to have more than one of the same application.

  1. Login to your SonarQube account as an administrator.

  2. On the home page, choose Administration, then choose Marketplace.

  3. Under Plugins, search for SAML 2.0 Authentication for SonarQube and then choose Install.

  4. Wait for notification pop up asking SonarQube needs to be restarted in order to install x plugins, choose Restart, then Restart again.

  5. In the left navigation pane, expand User Management, expand Identity Provider and then choose SAML.

  6. Insert these values:

  1. Download the IAM Identity Center certificate and paste it's content in Provider certificate. Remove the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- from the certificate content copied.
  1. Insert these values:
Field Value
SAML user login attribute login
SAML user name attribute username
SAML user email attribute email
  1. Scroll to the top of the SAML configuration page, and enable the toggle next to Enabled.

  2. Go back to the IAM Identity Center console page where you are configuring the Application.

  3. Under Application properties, insert the value:

Field Value
Application start URL https://SONARQUBEURL/sessions/init/saml?return_to=%2F
  1. Under Application metadata, choose If you don't have a metadata file, you can manually type your metadata values. to display the application metadata settings. Insert these values:
Field Value
Application ACS URL https://SONARQUBEURL/oauth2/callback/saml
Application SAML audience sonarqube
  1. Choose Save Changes.

  2. Assign a user to the application in IAM Identity Center.

Verification

Use the following sections to verify the SSO integration.

Note

Ensure that the user performing the verification is logged out of both IAM Identity Center and the application before performing the steps in each section.

Verifying SSO from IAM Identity Center

  1. Access the AWS access portal using the credentials of a user assigned to the SonarQube application.

  2. In the list of applications, choose SonarQube to initiate a login to SonarQube.

  3. If login was successful you will be signed-in to the SonarQube application.

Troubleshooting

If sign in was not successful, please see the troubleshooting steps.

Verifying Service Provider Initiated SSO from SonarQube

  1. Access SonarQube http://SONARQUBEURL/sessions/init/saml?return_to=%2F.

  2. You will be redirected to the IAM Identity Center user portal login page.

  3. Type the credentials of a user assigned to the application in the IAM Identity Center console.

  4. Choose Sign In.

  5. On the SonarQube home page, verify that both Cloud CMS and IAM Identity Center are logged in with the same user.

Troubleshooting

If sign in was not successful, please see the troubleshooting steps.

Troubleshooting

Error Issue Solution
Other When IAM Identity Center creates a SAML Assertion for a user, it uses the value of the 'email' and 'subject' fields (if they are present) from the connected directory to populate the 'Email' and 'Subject' attributes in the SAML assertion. Many service providers expect these attributes to contain the user’s email address. By default your directory is configured to send 'windowsUPN' in both fields. Your directory may be configured to contain the users email in the 'Email' attribute instead. If so, you may need to change this in your Connected directory settings.

For general troubleshooting problems, please refer to Troubleshooting Guide.

User Provisioning Types

There are two user provisioning you need to aware of: