Cookie 'OAUTHSTATE' is missing GSUITE

Hi,

SonarQube ID information
Server ID: 908D41E5-AXRKioK3UuuNHsh8Z0G_
Version: 8.4.1.35646

Trying to setup SAML with gsuite but getting Cookie ‘OAUTHSTATE’ is missing - not sure what I’m missing

    <saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">name@email.com</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData NotOnOrAfter="2020-09-07T12:51:34.644Z" Recipient="https://company.com/oauth2/callback/saml"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2020-09-07T12:41:34.644Z" NotOnOrAfter="2020-09-07T12:51:34.644Z"><saml2:AudienceRestriction><saml2:Audience>https://accounts.google.com/o/saml2?idpid=xxxxx</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AttributeStatement><saml2:Attribute Name="email"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">name@email.com</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="login"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">rkamalie@unifonic.com</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="name"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">name</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement><saml2:AuthnStatement AuthnInstant="2020-08-26T17:27:27.000Z" SessionIndex="_ab8faa348bfe7c2559afd79"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>
    2020.09.07 12:46:35 ERROR web[AXROsjvKoO9TaRYRAI2I][c.o.s.a.SamlResponse] sonarqube is not a valid audience for this Response
    2020.09.07 12:46:35 ERROR web[AXROsjvKoO9TaRYRAI2I][c.o.saml2.Auth] processResponse error. invalid_response

Hello Riza,

The Cookie ‘OAUTHSTATE’ is missing error usually means either:

  • Authentication is being initiated from the IDP (Identity Provider) rather than SonarQube (the SP, or Service Provider) itself.
  • Are you actually initiating login directly from SonarQube? usually something in between is affecting the existence of a cookie called OAUTHSTATE

Here are sometimes on how it should work :

  • Before redirecting on the SAML provider, SonarQube will creates a Token.
  • From this token:
    • it will put a cookie named OAUTHSTATE whose value corresponds to a sha256 hash of this token (this on the SonarQube domain).
    • it will redirect (think HTTP 302) to the SAML provider with a request parameter named RelayState proving this token value
  • When the authentication is done, the SAML provider will also redirect also with this RelayState parameter and the same value
  • SonarQube will check that the sha256 hashed value of RelayState matches with the cookie value of OAUTHSTATE setup before

Thanks Eric, let me review this and get back to you with my findings.