No provider key found in URI


(Aaron Stromas) #1
  • Using SonarQube 7.3
  • Attempting to use SAML authentication using PingFed IdP
    ** Have configured IdP to to issue the SAML assertion
    ** Have configured SonarQube according
    ** Configured Assertion Consumer Service URL to :9000/oauth2/callback (???)
    ** When assertion is posted to that URL SonarQube responds with “You’re not authorized to access this page. Please contact the administrator.”

The web.log in TRACE mode mysteriously informs “No provider key found in URI” (see below).
TIA for any help deciphering this.

2018.09.24 11:58:22 DEBUG web[][j.m.mbeanserver] ObjectName = Tomcat:type=RequestProcessor,worker=“http-nio-”,name=HttpRequest1
2018.09.24 11:58:22 DEBUG web[][j.m.mbeanserver] name = Tomcat:type=RequestProcessor,worker=“http-nio-”,name=HttpRequest1
2018.09.24 11:58:22 DEBUG web[][j.m.mbeanserver] Send create notification of object Tomcat:name=HttpRequest1,type=RequestProcessor,worker=“http-nio-”
2018.09.24 11:58:22 DEBUG web[][j.m.mbeanserver] JMX.mbean.registered Tomcat:type=RequestProcessor,worker=“http-nio-”,name=HttpRequest1
2018.09.24 11:58:23 TRACE web[AWYMTZVq0onP1Ft3AAAA][o.s.s.u.UserSessionFilter] Thread[http-nio-,5,main] serves /oauth2/callback
2018.09.24 11:58:23 ERROR web[AWYMTZVq0onP1Ft3AAAA][o.s.s.a.AuthenticationError] No provider key found in URI
2018.09.24 11:58:23 TRACE web[AWYMTZVq0onP1Ft3AAAB][o.s.s.u.UserSessionFilter] Thread[http-nio-,5,main] serves /sessions/unauthorized
2018.09.24 11:58:23 TRACE web[AWYMTZVq0onP1Ft3AAAC][o.s.s.u.UserSessionFilter] Thread[http-nio-,5,main] serves /api/l10n/index

SAML Authentication Plugin doc is confusing
Synchronize groups using SAML authentication on Okta
(Alain O'Dea) #2

I’m having the same issue.

I get a little further by using /oauth2/callback/sonarqube, but then it fails saying this:
Failed to retrieve IdentityProvider for key ‘sonarqube’
java.lang.IllegalArgumentException: Identity provider sonarqube does not exist o
r is not enabled
at org.sonar.server.authentication.IdentityProviderRepository.getEnabled
at org.sonar.server.authentication.AuthenticationFilter.resolveProviderO
at org.sonar.server.authentication.OAuth2CallbackFilter.doFilter(OAuth2C
at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFi
at org.sonar.server.platform.web.MasterServletFilter.doFilter(MasterServ
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
at org.apache.catalina.core.ApplicationFilterChain.doFilter(
at org.sonar.server.user.UserSessionFilter.doFilter(
at org.sonar.server.user.UserSessionFilter.doFilter(
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
… lots of stacktrace

I suspect learning what to put in for providerKey in this URI /oauth2/callback/{providerKey} would solve this.

(Alain O'Dea) #3

I figured it out. It’s /oauth2/callback/saml not /oauth2/callback… This is a documentation bug.

I had to clear cookies for my sonarqube domain to make login work after some testing. You may get CSRF or OAUTH_TOKEN errors otherwise.

Here are settings that work for Okta:

Attribute Statements

  • login = user.login
  • name = user.login
  • email =

Group Attribute Statements

  • groups Starts with: example-internal:sonarqube-

Corresponding settings in SonarQube (

  • sonar.auth.saml.applicationId = sonarqube
  • sonar.auth.saml.providerName = SAML
  • sonar.auth.saml.providerId = entityId from SAML metadata, aka Identity Provider Issuer URI
  • sonar.auth.saml.loginUrl = HTTP-POST binding location from SAML metadata, Identity Provider Single Sign-On URL
  • sonar.auth.saml.certificate.secured = X509Certificate text in KeyInfo use=signing from SAML metadata, X.509 Certificate
  • sonar.auth.saml.user.login = login
  • = name
  • = email
  • = groups

SAML plugin doesn't create proper request
SAML Authentication Plugin doc is confusing
(Julien Lancelot) #4

A post was split to a new topic: Synchronize groups using SAML authentication on Okta

(Julien Lancelot) #5

Thanks for finding this ! In Keycloak it was working without appending saml, but it will also work with it so I’ve updated the documentation.