I figured it out. It’s /oauth2/callback/saml not /oauth2/callback… This is a documentation bug.
I had to clear cookies for my sonarqube domain to make login work after some testing. You may get CSRF or OAUTH_TOKEN errors otherwise.
Here are settings that work for Okta:
- Single Sign-On URL https://sonarqube.example.com/oauth2/callback/saml
- Audience Restriction: sonarqube
Attribute Statements
- login = user.login
- name = user.login
- email = user.email
Group Attribute Statements
- groups Starts with: example-internal:sonarqube-
Corresponding settings in SonarQube (https://sonarqube.example.com/admin/settings?category=saml)
- sonar.auth.saml.applicationId = sonarqube
- sonar.auth.saml.providerName = SAML
- sonar.auth.saml.providerId = entityId from SAML metadata, aka Identity Provider Issuer URI
- sonar.auth.saml.loginUrl = HTTP-POST binding location from SAML metadata, Identity Provider Single Sign-On URL
- sonar.auth.saml.certificate.secured = X509Certificate text in KeyInfo use=signing from SAML metadata, X.509 Certificate
- sonar.auth.saml.user.login = login
- sonar.auth.saml.user.name = name
- sonar.auth.saml.user.email = email
- sonar.auth.saml.group.name = groups