I’m using SonarQube version 10.2.1-community deployed via Helm chart.
I’m trying to authenticate using SAML Okta.
The application used to work fine with LDAP until integrating it with OKTA (SAML).
I am getting an error to authenticate with users:
You’re not authorized to access this page. Please contact the administrator.
And in the logs I have mainly these errors:
Caused by: java.io.IOException: java.lang.IllegalArgumentException: Illegal base64 character 24
at java.base/sun.security.provider.X509Factory.readOneBlock(Unknown Source)
Caused by: java.lang.IllegalArgumentException: Illegal base64 character 24
at java.base/java.util.Base64$Decoder.decode0(Unknown Source)
at java.base/java.util.Base64$Decoder.decode(Unknown Source)
ERROR web[AY3pZ3AlPh7rVGVQAAo/][c.o.s.s.Saml2Settings] idp_cert_or_fingerprint_not_found_and_required
ERROR web[AY3pZ3AlPh7rVGVQAAo/][c.o.saml2.Auth] Invalid settings: idp_cert_or_fingerprint_not_found_and_required
WARN web[AY3pZ3AlPh7rVGVQAApA][o.s.s.a.AuthenticationError] CSRF state value is invalid
In the SonarQube configuration for the Identity provider certificate I used the certificate generated during the creation of Okta application.
My question is: should we encode the certificate? is there any special format that needs to be used?
Note that I followed the exact same steps provided here for the creation of Okta application
And yes I did use it this way in the SAML configuration, always the same error as mentioned earlier, I also tried removing \n, using what exists between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- only, encode it, etc etc but always the same error persists.
With the exact same error logs posted previously, using the same certificate. It looks like the Java class is having issue with the format of the certificate?
Basically the two improvements you shared were basically on the front side, was there any other improvements on the backend side as well?
Hello;
We upgraded the version, we are using the certificate in the form you mentioned as it is, but yet still not working. We would love to get your inputs regarding this topic.
Thank you
This is a Community Forum without an SLA – it sounds like the issue is migrating to SAML, while your users should still be able to login with LDAP, is that right?
Hello,
Yes you are right I was just keeping you updated of the latest changes.
Actually yes, I moved back the users to LDAP for the moment, and now I’m testing on a nonprod instance that basically have no users registered in the DB yet I have that error mentioned above. I already saw your blog about the migration but currently this is not the case, I will consider this for the prod environment for sure.
To everyone who is running through this issue deploying SonarQube community using Helm Chart;
My issue was never solved by passing the certificate to the Helm Chart, but this was solved when I setup the configuration through the console.
SOLUTION: unlike what was told above, the certificate must not include the header and the footer (BEGIN CERTIFICATE, and END CERTIFICATE); use what exists in between and it should work
