Enable SSO for sonarqube 8.4 CE

My company uses Onelogin application for authentication for all internal web application. when i load sonarqube.xyz.com on browser , oneLogin asks for user, password, Duo push and after that it lands to sonarqube login page. my expectation is that after onelogin validation, user should login to SQ.
I enabled below settings. still it is not working.

sonar.web.sso.enable=true
sonar.web.sso.loginHeader=X-Forwarded-Login
sonar.web.sso.nameHeader=X-Forwarded-Name
sonar.web.sso.emailHeader=X-Forwarded-Email
sonar.web.sso.groupsHeader=X-Forwarded-Groups
sonar.web.sso.refreshIntervalInMinutes=5

need help to resolve this ?

Hello @Anuj_Kumar,

Could you check if inside redirect request to sonarqube page headers you have configured exists in a request?

I have integrated miniorange SAML Plugin and shared below config to onelogin team.

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sonarqube.xyz.com/oauth2/callback/miniorangesamlplugin"
entityID="https://sonarqube.xyz.com/sonar_saml_auth"

After this, I am able to login using SAML . here is the flow

load sonarqube.xyz.com ==> Onelogin authentication ==> land to SQ login page ==> click login and then click on saml login ==> user can see SQ page

I want to avoid all these intermediate steps.

I am also confused bw usso and SAML.
if sonar.web.sso.xxx related properties are enough for SSO then why SAML is needed? Are they totally different ways to enable SSO ?

The plugin you are using is not supported by SonarSource. Also I’m not familiar with it, so I’m not sure how I can help you with your problem. I would suggest to ask maintainers of this plugin to help you.

Also SAML can be configured in SQ instance itself, no need to have external plugins. For this please check the documentation first: https://docs.sonarqube.org/latest/instance-administration/delegated-auth/

I started with article. following things are missing w.r.t SAML in this article.

  • How to fetch SQ metadata (specifically ACS and entityID)
  • How to find attribute mapping (login, Name, Email, Group).

If you can guide me how to fetch above information, I’ll not use miniorange plugin. Infect I prefer to avoid external plugin.

In article it is written that ‘reverse proxy must be used if you are using SAML’ . Is it mandatory ? I don’t have any web server installed.

I tried with below setting.
Entity ID : sonarqube.xxx.com/sonarqube
ACS : https://sonarqube.xxx.com/oauth2/callback/saml

in sonarqube -> admin -> configuration -> security -> SAML
Application ID : SonarQube

IDP is Onelogin
Here are the logs.

2020.08.17 10:34:02 DEBUG web[AXPob1VJGfzo8ZJ7BQe5][c.o.s.a.AuthnRequest] AuthNRequest --> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_f0671518-e7c2-4191-9ec5-0d18ead6da1a" Version="2.0" IssueInstant="2020-08-17T10:34:02Z" Destination="https://xxx.onelogin.com/trust/saml2/http-post/sso/fe7e8969-53c1-429c-80c9-aaf3f196dae5" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://sqnode:31028/oauth2/callback/saml"><saml:Issuer>SonarQube</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest>

2020.08.17 10:34:02 DEBUG web[AXPob1VJGfzo8ZJ7BQe5][c.o.saml2.Auth] AuthNRequest sent to https://xxx.onelogin.com/trust/saml2/http-post/sso/fe7e8969-53c1-429c-80c9-aaf3f196dae5 --> fVLLbtswEPwVgXeaD78kwjbgxmlrwLWd2O2hl2JNrWwiEqmSVJr+fWk5BdJDcyK4nNmdGe4sQFO3atnFi33Enx2GmL00tQ2qf5iTzlvlIJigLDQYVNTqsPyyUXLAVetddNrV5A3lfQaEgD4aZ0m2Xs3Jbnu/2X1ab39UfDIVY5FTnGpJR6IQtEA9prwUOUI5KUEAyb6hD4k7J6lVahBCh2sbItiYSlxyynMqpkfB1XCkuPxOslXyYyzEnnWJsQ2Kse6EHtqWlvg8cBZrdzZ2oF3Dou9CZFcXkl3BtHXXe3CswinmxaSg46EWdCQLTXOuCwpQDStRJH04Jtn+NY8PxpbGnt+P4nQDBfX5eNzT/e5wJNnybzx3zoauQX9A/2w0fn3c3OQn9XBGG4tJstpeXqQaCi5z5iB9oGQa6voE+qn3QBaz66H6nPzi4Cz4h+R9xt6WZ7cF2CZ969Xe1Ub/zj4630D8v3wxEH3FlLTqoaqzoUVtKoNlclHX7tedR4g4JylTJBlb3Kb+u2mLPw==


2020.08.17 10:34:04 DEBUG web[AXPob1VJGfzo8ZJ7BQe9][c.o.s.a.SamlResponse] SAMLResponse invalid --> <samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="pfxc940f2b2-37f8-afe0-89fe-e6bad4d5e208" Version="2.0" IssueInstant="2020-08-17T10:34:04Z" Destination="" InResponseTo="ONELOGIN_f0671518-e7c2-4191-9ec5-0d18ead6da1a"><saml:Issuer>https://app.onelogin.com/saml/metadata/fe7e8969-53c1-429c-80c9-aaf3f196dae5</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#pfxc940f2b2-37f8-afe0-89fe-e6bad4d5e208"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>o0mIih8LBFuIe32Pnz3j90o4iaw=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>fAYYwwD8WfeLhHxhMjr/+JD/ZAftzaClZ6//OIBruBD3drmbSx+7NJD+HfjHOf9msNvgDwH9+apy/Wxa080FahkqlCzknS55PanAYYxhTJIe+TmhmA0SdqEH/4ZGqz7+J+0pgQGL8Ah+w/F+FxPd6VWntFam4o9BRPt358MvthKU/Y3jiCYME7mq0THvqaW3Vi5RO0fJG4bgncGfZsMc8wBMmTdBRFi5kxXlyJncNQAVYq+oYSJ/sUbUuel/W0ukT6Umc4GZlQUdxHe9JY141ES8+7OeFnVi/lWfsWDtIUw+rx374x6+CE2oXgbY2jtw6Za1m2GfY+YzFTNjbRdMdg==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>xxxxxxxxxxxxxxxxxxxxxx</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="Ae86c786406838a7cbdcaea15cc488e4806122bdc" IssueInstant="2020-08-17T10:34:04Z"><saml:Issuer>https://app.onelogin.com/saml/metadata/fe7e8969-53c1-429c-80c9-aaf3f196dae5</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">akumar397@xxx.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2020-08-17T10:37:04Z" Recipient="" InResponseTo="ONELOGIN_f0671518-e7c2-4191-9ec5-0d18ead6da1a"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2020-08-17T10:31:04Z" NotOnOrAfter="2020-08-17T10:37:04Z"><saml:AudienceRestriction><saml:Audience>https://sonarqube-staging.xxx.com/SonarQube</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2020-08-17T10:34:03Z" SessionNotOnOrAfter="2020-08-18T10:34:04Z" SessionIndex="_b3ab9b04-1ebe-4457-8928-84a8d04a716c"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>\n\n
2020.08.17 10:34:04 ERROR web[AXPob1VJGfzo8ZJ7BQe9][c.o.s.a.SamlResponse] The response has an empty Destination value
2020.08.17 10:34:04 ERROR web[AXPob1VJGfzo8ZJ7BQe9][c.o.saml2.Auth] processResponse error. invalid_response


2020.08.17 10:34:04 TRACE web[AXPob1VJGfzo8ZJ7BQe9][sql] time=0ms | sql=select p.prop_key as "key", p.is_empty as empty, p.text_value as textValue, p.clob_value as clobValue, p.component_uuid as componentUuid, p.user_uuid as userUuid from properties p where p.prop_key=? and p.component_uuid is null and p.user_uuid is null | params=sonar.auth.saml.providerName
2020.08.17 10:34:04 TRACE web[AXPob1VJGfzo8ZJ7BQe9][o.s.a.s.SamlIdentityProvider] Name ID : null
2020.08.17 10:34:04 DEBUG web[AXPob1VJGfzo8ZJ7BQe9][auth.event] login failure [cause|The response has an empty Destination value][method|OAUTH2][provider|EXTERNAL|SAML][IP|10.80.46.167|180.151.104.71, 180.151.104.71, 127.0.0.1][login|]

I am facing below error

I tried to put ACS in recipient field in Onelogin configuration but didn’t work.