IS SAML now included in 7.9 LTS? and if so, having issues

Must-share information

  • which versions are you using latest 7.9 LTS
  • **Trying to do SAML with keycloak 6.0.1 **

So Far: WITHOUT installing the plugin (the docs indicate it’s already there on 7.9? because the menus are there???

I’ve done all the configuration, but no matter what I try… I’m getting a “invalid redirect uri” using this guide: https://docs.sonarqube.org/latest/instance-administration/delegated-auth/ for SAML/Keycloak

If it makes a difference… I’ve got keycloak with SAML working with gitlab and with nexus… I just can’t get sonarqube working…

Hi @Ira_Moss and welcome to this community !

Indeed, the SAML plugin is already embedded in SonarQube, see this product news https://www.sonarqube.org/sonarqube-7-9-lts/ for more detail.

About your issue, could you please check that you’ve correctly set the Server base URL setting (In General Settings -> General) ?

Regards

ok… very interesting… No, I had not set this yet.

But, problem persists in different way.

Now, I STILL get invalid redirect uri unless I change the Valid Redirect URIs to “*” However, THEN, I get You’re not authorized…Reason: Signature validation failed. SAML Response rejected.

so still stuck… but “maybe” farther?

Sorry, see other posts… I didn’t respond directly to you…

more specifically.

my config on sonar looks like this:
indent preformatted text by 4 spaces
- sonar.jdbc.url=jdbc:postgresql://{DB_HOST}/sonarqube_production - sonar.jdbc.username=sonarqube - sonar.jdbc.password={DB_PASSWD}
- sonar.forceAuthentication=true
- email.prefix=[FACTORY SONARQUBE]
- email.from=noreply@sonarqube.factory.example.com
- email.fromName=“example FACTORY - SonarQube”
- email.smtp_host.secured=10.205.16.13
- sonar.lf.logoUrl=http://10.205.222.186/ICONS/example-PNG.png
- sonar.auth.saml.enabled=True
- sonar.auth.saml.applicationId=sonarqube
- sonar.auth.saml.providerName=SAML
- sonar.auth.saml.providerId=https://auth.factory.example.com/auth/realms/testing
- sonar.auth.saml.loginUrl=https://auth.factory.example.com/auth/realms/testing/protocol/saml
- sonar.auth.saml.user.login=login
- sonar.auth.saml.user.name=name
- sonar.auth.saml.user.email=email
- sonar.auth.saml.group.name=groups
- sonar.core.serverBaseURL=“https://sonarqube.factory.example.com

Also, the documentation says:

Provider certificate is the value of “dsig:X509Certificate” node in the XML configuration file

However in order to do this, I have to turn on Client Signature Required, get the value from the output of the install on Keycloak, and then turn it back off… because Client Signature Required has to be disabled?

@julienlancelot Two different systems I’m playing with… One I get the token error, the other I get the dreaded You’re not authorized to access this page. Please contact the administrator.

Ok, there’s a lot of information, I’ll try to clarify.

  1. Do you confirm that all sonar.auth.* and sonar.core.serverBaseURL settings are set in the UI and not in the sonar.properties file ? If not, please remove them from the fil and set them in the UI.
  2. I confirm that Client Signature Required must always be set to OFF.
  3. For the Provider certificate, the best way is to go to Reaml Settings -> Keys -> Click on Certificate button, the certificate will be displayed in the popup.

@julienlancelot I’ll check on that when I get back to the office. Thanks.!

I think a update to the doc would be good?
i.e.

in delegated-auth section it says grab it from the export of the install file… Which would actually be the WRONG cert anyways.

The cert you want me to grab Realm Settings --> Keys --> Cert is for the Realm, and is not the same cert as mentioned in the instructions.

I’ll check back with you.

Thanks!

Indeed, the doc will be updated.

Thanks to come back when you’ll validate that it’s now working.