Error authenticating to SonarQube using SAML Okta


I’m using SonarQube version 10.2.1-community deployed via Helm chart.
I’m trying to authenticate using SAML Okta.
The application used to work fine with LDAP until integrating it with OKTA (SAML).
I am getting an error to authenticate with users:

You’re not authorized to access this page. Please contact the administrator.

And in the logs I have mainly these errors:

Caused by: java.lang.IllegalArgumentException: Illegal base64 character 24
     at java.base/ Source)
Caused by: java.lang.IllegalArgumentException: Illegal base64 character 24
     at java.base/java.util.Base64$Decoder.decode0(Unknown Source)
     at java.base/java.util.Base64$Decoder.decode(Unknown Source)
ERROR web[AY3pZ3AlPh7rVGVQAAo/][c.o.s.s.Saml2Settings] idp_cert_or_fingerprint_not_found_and_required
ERROR web[AY3pZ3AlPh7rVGVQAAo/][c.o.saml2.Auth] Invalid settings: idp_cert_or_fingerprint_not_found_and_required
WARN web[AY3pZ3AlPh7rVGVQAApA][o.s.s.a.AuthenticationError] CSRF state value is invalid

In the SonarQube configuration for the Identity provider certificate I used the certificate generated during the creation of Okta application.
My question is: should we encode the certificate? is there any special format that needs to be used?
Note that I followed the exact same steps provided here for the creation of Okta application

Thank you for your time.

Hey there.

Does your identity provider certificate start with ----START CERTIFICATE----- and end with -----END CERTIFICATE-----?

Whatever certificate you have that looks like that, should be put into that setting verbatim (no encoding needed).

Thank you for your reply.
Yes exactly my certificate format is like below:


And yes I did use it this way in the SAML configuration, always the same error as mentioned earlier, I also tried removing \n, using what exists between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- only, encode it, etc etc but always the same error persists.


It looks like we’ve improved some things related to testing the configuration of SAML in newer versions of SonarQube (SONAR-20920 and SONAR-20921).

Since SonarQube v10.2.1 is an EOL version of SonarQube, can you try upgrading to 10.4.1?

Thank you for your reply.
I will proceed to test the upgrade and re-check again.

I upgraded SonarQube to version 10.4.1 as recommended, yet I still get the same error

With the exact same error logs posted previously, using the same certificate. It looks like the Java class is having issue with the format of the certificate?
Basically the two improvements you shared were basically on the front side, was there any other improvements on the backend side as well?

Thank you

We upgraded the version, we are using the certificate in the form you mentioned as it is, but yet still not working. We would love to get your inputs regarding this topic.
Thank you

This is a Community Forum without an SLA – it sounds like the issue is migrating to SAML, while your users should still be able to login with LDAP, is that right?

Yes you are right I was just keeping you updated of the latest changes.
Actually yes, I moved back the users to LDAP for the moment, and now I’m testing on a nonprod instance that basically have no users registered in the DB yet I have that error mentioned above. I already saw your blog about the migration but currently this is not the case, I will consider this for the prod environment for sure.

To everyone who is running through this issue deploying SonarQube community using Helm Chart;
My issue was never solved by passing the certificate to the Helm Chart, but this was solved when I setup the configuration through the console.
SOLUTION: unlike what was told above, the certificate must not include the header and the footer (BEGIN CERTIFICATE, and END CERTIFICATE); use what exists in between and it should work :slight_smile: