[Yandex Cloud documentation](../../../index.md) > [Yandex Identity Hub](../../index.md) > [Tutorials](../index.md) > [Setting up single sign-on (SSO) for apps](index.md) > SonarQube

# Creating a SAML app in Yandex Identity Hub for integration with SonarQube

[SonarQube](https://www.sonarsource.com/products/sonarqube/) is a platform that automatically scans source code to identify errors and vulnerabilities and evaluate test coverage. SonarQube supports SAML authentication to provide secure SSO for your organization's users.

For the users of your [organization](../../concepts/organization.md) to be able to authenticate to SonarQube via [SAML](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) SSO, create a [SAML app](../../concepts/applications.md#saml) in Yandex Identity Hub and configure it both in Yandex Identity Hub and SonarQube.

SAML apps can be managed by users with the `organization-manager.samlApplications.admin` [role](../../security/index.md#organization-manager-samlApplications-admin) or higher.

To give access to SonarQube to the users of your organization:

1. [Create an app](#create-app).
1. [Set up the integration](#setup-integration).
1. [Make sure the application works correctly](#validate).

## Create an app {#create-app}

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

    1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
    1. In the left-hand panel, select ![shapes-4](../../../_assets/console-icons/shapes-4.svg) **Apps**.
    1. In the top-right corner, click ![Circles3Plus](../../../_assets/console-icons/circles-3-plus.svg) **Create application** and in the window that opens:
        1. Select the **SAML (Security Assertion Markup Language)** single sign-on method.
        1. In the **Name** field, specify a name for your new app: `sonarqube-app`.
        1. Optionally, in the **Description** field, enter a description for the new app.
        1. Optionally, add [labels](../../../resource-manager/concepts/labels.md):
            1. Click **Add label**.
            1. Add a label in `key: value` format.
            1. Press **Enter**.
        1. Click **Create application**.

{% endlist %}

## Set up the integration {#setup-integration}

{% note info %}

SAML integration is supported for SonarQube Developer Edition and higher. 

{% endnote %}

To integrate SonarQube with the SAML app you created in Yandex Identity Hub, complete the configuration both on the SonarQube side and in Yandex Identity Hub.

### Set up the SAML app in SonarQube {#setup-sp}

{% note info %}

To set up the SAML app in SonarQube, the user needs the **Administer System** global permission. 

{% endnote %}

1. To configure SAML authentication in SonarQube, in the left-hand panel, navigate to **Administration** and then, in the menu that opens, go to **Configuration** -> **General Settings**. In the **General Settings** menu, select **Authentication** -> **SAML**.
1. Click **Create configuration**.

Then complete the steps below:

#### Connect SonarQube to the IdP {#connect-idp}

Configure a link between SonarQube and Yandex Identity Hub:

1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
1. In the left-hand panel, select ![shapes-4](../../../_assets/console-icons/shapes-4.svg) **Apps** and then, the SAML app.
1. In the **Overview** tab, under **Identity provider (IdP) configuration**, copy the **Issuer / IdP EntityID** and **Login URL** field values.
1. On the **Overview** tab, under **Application certificate**, click **Download certificate** and save the file to your device.
1. Go back to SonarQube, then in the **Edit SAML configuration** menu:
    1. In the **Application ID** field, leave the default value, `sonarqube`.
    1. Paste the copied values ​​into the **Provider ID** and **SAML login url** fields.
    1. Open the saved certificate file in any text editor, copy its contents and paste it into the **Identity provider certificate** field.

#### Map user attributes {#user-mapping}

Set up mapping between user object fields in SonarQube and Yandex Identity Hub:

1. In the **SAML user login attribute** field, specify `login`.
1. In the **SAML user name attribute** field, specify `fullname`.
1. Optionally, in the **SAML user email attribute** field, specify `emailaddress`.
1. If you want SonarQube users to get assigned to one of the groups when they log in, add the user group attribute. To do this, specify `groups` under **SAML group attribute**.
1. Save the settings by clicking **Save configuration**.
1. Click **Enable configuration**.

#### Set the public URL {#set-domain}

In the **General Settings** menu, from the **Authentication** section, go to **General**. Under **General**, in the **Server base URL** field, enter `https://<your-domain>`.

#### Map user groups {#group-mapping}

{% note info %}

If you do not configure group mapping, all users will be assigned to the default `sonar-users` group when they log in.

{% endnote %}

You can set up which group to assign users to upon login. To do this, you need to create groups on the SonarQube side:

1. At the top of the page, from the **Configuration** section, go to **Security** -> **Groups**.
1. Click **Create Group**.
1. In the **Name** field, enter a name for the group, e.g., `test-group`. You will need to create the group when setting up the app in Yandex Identity Hub.
1. Click **Create**.
1. To configure permissions for the group:
    1. In the **Security** menu, go from the **Groups** section to the **Global Permissions** section.
    1. To the right of the `test-group`, check the required permissions.

### Set up the SAML application in Yandex Identity Hub {#setup-idp}

#### Set up service provider endpoints {#sp-endpoints}

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

  1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
  1. In the left-hand panel, select ![shapes-4](../../../_assets/console-icons/shapes-4.svg) **Apps** and then, the SAML app.
  1. In the top-right corner, click ![pencil](../../../_assets/console-icons/pencil.svg) **Edit** and in the window that opens:  
      1. Set the **SP EntityID ** field value to `sonarqube`.
      1. In the **ACS URL** field, enter this address: `https://<your-domain>/oauth2/callback/saml`.
      1. Click **Save**.

{% endlist %}

#### Configure user attributes {#user-attributes}

{% note warning %}

For integration with SonarQube, users must have the `login` attribute.

{% endnote %}

If users do not have the `login` attribute, add it:

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

    1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
    1. In the left-hand panel, select ![shapes-4](../../../_assets/console-icons/shapes-4.svg) **Apps** and select the desired app.
    1. Navigate to the **Attributes** tab.
    1. In the top-right corner, click ![plus](../../../_assets/console-icons/plus.svg) **Add attribute** and in the window that opens:
        1. In the **Attribute name** field, specify `login`.
        1. In the **Value** field, select `SubjectClaims.preferred_username`.
        1. Click **Add**.

{% endlist %}

If you have configured user group mapping in SonarQube, add the user group attribute. Follow these steps:

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

    1. In the top-right corner, click ![circles-3-plus](../../../_assets/console-icons/circles-3-plus.svg) **Add group attribute** and in the window that opens:
       1. In the **Attribute name** field, specify `groups`.
       1. In the **Transmitted groups** field, select `Assigned groups only`.
       1. Click **Add**.

{% endlist %}

For more information about configuring attributes, see [Configure user and group attributes](../../operations/applications/saml-create.md#setup-attributes).

### Add users {#add-users}

For your organization's users to be able to authenticate in SonarQube with Yandex Identity Hub's SAML app, you need to explicitly add these users and/or [user groups](../../concepts/groups.md) to your SAML app.

{% note info %}

Users and groups added to a SAML application can be managed by a user with the `organization-manager.samlApplications.userAdmin` [role](../../security/index.md#organization-manager-samlApplications-userAdmin) or higher.

{% endnote %}

1. If you have configured user group mapping on the SonarQube side, [create](../../operations/create-group.md) the required [group](../../concepts/groups.md):

    {% list tabs group=instructions %}

    - Cloud Center UI {#cloud-center}

        1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
        1. In the left-hand panel, select ![groups](../../../_assets/console-icons/persons.svg) **Groups**.
        1. In the top-right corner of the page, click ![Circles3Plus](../../../_assets/console-icons/circles-3-plus.svg) **Create group**.
        1. Enter the name: `test-group`.
        1. Click **Create group**.
        1. Add users to the group:
            1. Navigate to the **Members** tab.  
            1. Click **Add member**.
            1. In the window that opens, select the required users.
            1. Click **Save**.

    {% endlist %}

1. Add users to the application:

    {% list tabs group=instructions %}

    - Cloud Center UI {#cloud-center}

        1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
        1. In the left-hand panel, select ![shapes-4](../../../_assets/console-icons/shapes-4.svg) **Apps** and select the required app.
        1. Navigate to the **Users and groups** tab.
        1. Click ![person-plus](../../../_assets/console-icons/person-plus.svg) **Add users**.
        1. In the window that opens, select the required user or user group.
        1. Click **Add**.

    {% endlist %}

## Make sure your application works correctly {#validate}

To ensure that your SAML app and integration with SonarQube are working correctly, authenticate to SonarQube as one of the users you added to the app. Follow these steps:

1. In your browser, navigate to the address of your SonarQube instance, e.g., `https://<your-domain>`.
1. If you were logged in to SonarQube, log out.
1. On the SonarQube authentication page, click **Log in with SAML**.
1. On the Yandex Cloud authentication page, enter the email address and user password. The user or group they belong to must be added to the application.
1. Make sure you have authenticated in SonarQube.
1. If you have configured role mapping, go to the user profile in SonarQube and make sure the appropriate group is displayed under **Groups**.