Configuring SAML w/ ADFS for SonarQube

Must-share information (formatted with Markdown):
Using SonarQube Enterprise 7.3, SAML 2.0 Authentication for SonarQube 1.1

We are trying to get SAML configured (using ADFS) on our SonarQube Enterprise instance. We believe we are close to getting it working but have a couple of errors we’re trying to work through.

What is the expected format for the following fields?
SAML user login attribute
SAML user name attribute

We are sending these claims:

We are passing “login” and “Name” to match our claims but are seeing the error below.
018.12.13 15:46:43 ERROR web[AWeeKRsSggugAZApAB7Y][o.s.s.a.AuthenticationError] Fail to callback authentication with ‘saml’
java.lang.NullPointerException: Name is missing
at java.util.Objects.requireNonNull(Objects.java:228)
at org.sonarsource.auth.saml.SamlIdentityProvider.getNonNullFirstAttribute(SamlIdentityProvider.java:154)
at org.sonarsource.auth.saml.SamlIdentityProvider.callback(SamlIdentityProvider.java:118)
at

Hi,

How have you configured the name field (sonar.auth.saml.providerName) in SonarQube ?

Regards,
Julien Lancelot

We left that as the default “SAML”

Oups, sorry, I was talking about “sonar.auth.saml.user.name”.

As described in the documentation, the sonar.auth.saml.user.XXX parameters must match the SAML attribute.
Is it the case for you ?

For instance, I think that sonar.auth.saml.user.name should be set to “Name” or “Display-Name”.

Yes,
sonar.auth.saml.user.name is set to “Name”
and
sonar.auth.saml.user.login is set to “login”

Then it means that it’s not these attributes that are sent.

To get the list of SAML attributes that SonarQube is receiving, you need to :

  • Change the web log to TRACE
  • Authenticate with any user
  • Search in logs/web.log for log starting with " Attributes received :"

Regards.,
Julien Lancelot

Thanks so much! Based on tracing it was expected this:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name” instead of “Name” which seems a bit crazy but it is working now :slight_smile:

One more question – we’d really like to get this working with SSO (and not have to click the login button to authenticate with SAML). From my preliminary googling the only way to make SSO work with SonarQube is via advanced nginx config (at which point one would be bypassing the SAML plugin essentially). Is there an alternative way to do this? Perhaps by pointing at the login url directly or setting up redirects? Any documentation around such an approach would be greatly appreciated.

I’m happy that you’ve been able to solve your issue !

About the fact users still need to click on the “SAML” button to authenticate on SonarQube, it won’t be possible as to change that when using SAML authentication.

What you can do is to use the HTTP headers authentication, you’ll find more info here : https://docs.sonarqube.org/latest/instance-administration/delegated-auth/

Regards,
Julien Lancelot

Hi Josh,

May i know what key you put instead of Name?

Currently the link you shared is no longer accessible.

Thanks !!

It wasn’t a link actually (or it wasn’t supposed to be). The actual string I put started with “http://”…

Can anyone please confirm what exactly needs to be given in below two fileds of SAML configuration -
sonar.auth.saml.user.login
sonar.auth.saml.user.name

Hi Josh,

Glad to know that SAML with ADFS is working for you. Can you please share the configuration if possible? Basically, looking for below configuration details -

Identifier Name
Endpoint
Claims - This one I believe is the screenshot you have shared above.

Thank you in advance!

  • Nirmit