Attempting to use SAML authentication using PingFed IdP
** Have configured IdP to to issue the SAML assertion
** Have configured SonarQube according https://docs.sonarqube.org/display/PLUG/SAML+Authentication+Plugin
** Configured Assertion Consumer Service URL to :9000/oauth2/callback (???)
** When assertion is posted to that URL SonarQube responds with “You’re not authorized to access this page. Please contact the administrator.”
The web.log in TRACE mode mysteriously informs “No provider key found in URI” (see below).
TIA for any help deciphering this.
I get a little further by using /oauth2/callback/sonarqube, but then it fails saying this:
Failed to retrieve IdentityProvider for key ‘sonarqube’
java.lang.IllegalArgumentException: Identity provider sonarqube does not exist o
r is not enabled
at org.sonar.server.authentication.IdentityProviderRepository.getEnabled
ByKey(IdentityProviderRepository.java:54)
at org.sonar.server.authentication.AuthenticationFilter.resolveProviderO
rHandleResponse(AuthenticationFilter.java:56)
at org.sonar.server.authentication.OAuth2CallbackFilter.doFilter(OAuth2C
allbackFilter.java:68)
at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFi
lter(MasterServletFilter.java:126)
at org.sonar.server.platform.web.MasterServletFilter.doFilter(MasterServ
letFilter.java:95)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.sonar.server.user.UserSessionFilter.doFilter(UserSessionFilter.java:87)
at org.sonar.server.user.UserSessionFilter.doFilter(UserSessionFilter.java:71)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
… lots of stacktrace
I suspect learning what to put in for providerKey in this URI /oauth2/callback/{providerKey} would solve this.
I have all the configuration properly as mentioned above. But seeing the following errors. Can you please suggest.
"
You’re not authorized to access this page. Please contact the administrator.
Reason: Cookie ‘OAUTHSTATE’ is missing
"
web.log:2019.08.02 17:35:03 DEBUG web[AWxStCuWuJXEkokKABYI][auth.event] login failure [cause|Cookie ‘OAUTHSTATE’ is missing][method|OAUTH2][provider|EXTERNAL|SAML][IP|10.0.4.247|10.0.2.171][login|]
web.log:2019.08.02 17:28:33 DEBUG web[AWxStCuWuJXEkokKABUA][auth.event] login failure [cause|CSRF state value is invalid][method|OAUTH2][provider|EXTERNAL|SAML][IP|10.0.4.247|10.0.2.171][login|]
Has anyone figured out the “OAUTHSTATE” error? IdP initiated login fails on this error for me every time, and it is preventing me from deploying the Sonarqube with SSO to more of my users.
Correct, I’m using Okta. I can engage support for help if this is an issue in the Okta side (but it seems to be an issue with the current plugin). Is there an ETA for when this will be fixed?
There’s no ETA for this issue to be fixed. If you have time, you can help us by trying to understand why he HTTP parameter “RealState” is not send in the request.
Are you referring to the “RelayState”? By default, the RelayState property is blank, unless specified manually. What relay state would SonarQube expect for an IdP-initiated login? Is the solution as simple as supplying a default relay state?
In fact, the SAML authentication is setting a random value in the “RelayState” HTTP parameter and in a cookie before the call to the IdP-initiated login.
Then, during the callback, SonarQube expects to receive this value in the “RelayState” HTTP response, and check that the value is the same than the one in the cookie.
When using Okta, there seems to be no “RelayState” HTTP response during the callback.
