Okta SSO breaks after 2025.1 upgrade

SonarQube Server / Community Build
,
1

We are upgrading from Sonarqube Enterprise v10.8 to 2025.1.1 via zip.
The upgrade was successfull and we can login with the admin local account.
However the Okta SSO broke after upgrade. We are using the same configuration as previously and nothing was changed in the Okta side.
The error we are getting when trying to access with any user via SAML is:

2025.04.10 13:29:31 WARN  web[7d759273-2943-4b56-8c76-6fae668aa3dd][o.s.s.a.AuthenticationError] Fail to initialize authentication with provider 'saml'
java.lang.IllegalArgumentException: Illegal base64 character 2d
	at java.base/java.util.Base64$Decoder.decode0(Base64.java:847)
	at java.base/java.util.Base64$Decoder.decode(Base64.java:566)
	at java.base/java.util.Base64$Decoder.decode(Base64.java:589)
	at org.sonar.auth.saml.SamlPrivateKeyConverter.toPrivateKey(SamlPrivateKeyConverter.java:36)
	at org.sonar.auth.saml.SonarqubeRelyingPartyRegistrationRepository.addSignRequestFieldsIfNecessary(SonarqubeRelyingPartyRegistrationRepository.java:100)
	at org.sonar.auth.saml.SonarqubeRelyingPartyRegistrationRepository.findByRegistrationId(SonarqubeRelyingPartyRegistrationRepository.java:68)
	at org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver.resolve(DefaultRelyingPartyRegistrationResolver.java:83)
	at org.sonar.auth.saml.SonarqubeRelyingPartyRegistrationResolver.resolve(SonarqubeRelyingPartyRegistrationResolver.java:45)
	at org.springframework.security.saml2.provider.service.web.authentication.BaseOpenSamlAuthenticationRequestResolver.resolve(BaseOpenSamlAuthenticationRequestResolver.java:145)
	at org.springframework.security.saml2.provider.service.web.authentication.OpenSaml4AuthenticationRequestResolver.resolve(OpenSaml4AuthenticationRequestResolver.java:69)
	at org.sonar.auth.saml.RedirectToUrlProvider.getRedirectToUrl(RedirectToUrlProvider.java:46)
	at org.sonar.auth.saml.SamlAuthenticator.initLogin(SamlAuthenticator.java:58)
	at org.sonar.auth.saml.SamlIdentityProvider.init(SamlIdentityProvider.java:74)
	at org.sonar.server.authentication.InitFilter.handleOAuth2IdentityProvider(InitFilter.java:103)
	at org.sonar.server.authentication.InitFilter.handleProvider(InitFilter.java:75)
	at org.sonar.server.authentication.InitFilter.doFilter(InitFilter.java:65)
	at org.sonar.server.platform.web.MasterServletFilter$JavaxFilterAdapter.doFilter(MasterServletFilter.java:194)
	at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:165)
	at org.sonar.server.platform.web.MasterServletFilter$HttpFilterChainAdapter.doFilter(MasterServletFilter.java:208)
	at org.sonar.server.authentication.DefaultAdminCredentialsVerifierFilter.doFilter(DefaultAdminCredentialsVerifierFilter.java:83)
	at org.sonar.server.platform.web.MasterServletFilter$JavaxFilterAdapter.doFilter(MasterServletFilter.java:194)
	at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:165)
	at org.sonar.server.platform.web.MasterServletFilter.doFilter(MasterServletFilter.java:126)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
	at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:83)
	at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:70)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
	at org.sonar.server.platform.web.CspFilter.doFilter(CspFilter.java:67)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
	at org.sonar.server.platform.web.CacheControlFilter.doFilter(CacheControlFilter.java:76)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
	at org.sonar.server.platform.web.SecurityServletFilter.doHttpFilter(SecurityServletFilter.java:60)
	at org.sonar.server.platform.web.SecurityServletFilter.doFilter(SecurityServletFilter.java:47)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
	at org.sonar.server.platform.web.RedirectFilter.doFilter(RedirectFilter.java:56)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
	at org.sonar.server.platform.web.EndpointPathFilter.doFilter(EndpointPathFilter.java:47)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
	at org.sonar.server.platform.web.RequestIdFilter.doFilter(RequestIdFilter.java:66)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
	at org.sonar.server.platform.web.RootFilter.doFilter(RootFilter.java:65)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
	at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:115)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115)
	at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:268)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:397)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:905)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1741)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
	at java.base/java.lang.Thread.run(Thread.java:833)

If we try to test the SAML configuration in Administration> Configuration>Authentication we get the following error:

ERROR web[][o.s.s.p.w.RootFilter] Processing of request /saml/validation?CSRFToken=5vd11sgtsf607iff3b2qcdcqs0 failed
java.lang.IllegalArgumentException: Illegal base64 character 2d
	at java.base/java.util.Base64$Decoder.decode0(Base64.java:847)
	at java.base/java.util.Base64$Decoder.decode(Base64.java:566)
	at java.base/java.util.Base64$Decoder.decode(Base64.java:589)
	at org.sonar.auth.saml.SamlPrivateKeyConverter.toPrivateKey(SamlPrivateKeyConverter.java:36)
	at org.sonar.auth.saml.SonarqubeRelyingPartyRegistrationRepository.addSignRequestFieldsIfNecessary(SonarqubeRelyingPartyRegistrationRepository.java:100)
	at org.sonar.auth.saml.SonarqubeRelyingPartyRegistrationRepository.findByRegistrationId(SonarqubeRelyingPartyRegistrationRepository.java:68)
	at org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver.resolve(DefaultRelyingPartyRegistrationResolver.java:83)
	at org.sonar.auth.saml.SonarqubeRelyingPartyRegistrationResolver.resolve(SonarqubeRelyingPartyRegistrationResolver.java:45)
	at org.springframework.security.saml2.provider.service.web.Saml2AuthenticationTokenConverter.convert(Saml2AuthenticationTokenConverter.java:65)
	at org.sonar.auth.saml.SamlResponseAuthenticator.processSamlResponse(SamlResponseAuthenticator.java:54)
	at org.sonar.auth.saml.SamlResponseAuthenticator.authenticate(SamlResponseAuthenticator.java:45)
	at org.sonar.auth.saml.SamlAuthenticator.getAuthenticationStatusPage(SamlAuthenticator.java:77)
	at org.sonar.server.saml.ws.ValidationAction.doFilter(ValidationAction.java:96)
	at org.sonar.server.platform.web.MasterServletFilter$JavaxFilterAdapter.doFilter(MasterServletFilter.java:194)
	at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:165)
	at org.sonar.server.platform.web.MasterServletFilter$HttpFilterChainAdapter.doFilter(MasterServletFilter.java:208)
	at org.sonar.server.authentication.ResetPasswordFilter.doFilter(ResetPasswordFilter.java:67)
	at org.sonar.server.platform.web.MasterServletFilter$JavaxFilterAdapter.doFilter(MasterServletFilter.java:194)
	at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:165)
	at org.sonar.server.platform.web.MasterServletFilter$HttpFilterChainAdapter.doFilter(MasterServletFilter.java:208)
	at org.sonar.server.authentication.DefaultAdminCredentialsVerifierFilter.doFilter(DefaultAdminCredentialsVerifierFilter.java:83)
	at org.sonar.server.platform.web.MasterServletFilter$JavaxFilterAdapter.doFilter(MasterServletFilter.java:194)
	at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:165)
	at org.sonar.server.platform.web.MasterServletFilter.doFilter(MasterServletFilter.java:126)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
	at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:83)
	at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:70)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
	at org.sonar.server.platform.web.CspFilter.doFilter(CspFilter.java:67)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
	at org.sonar.server.platform.web.CacheControlFilter.doFilter(CacheControlFilter.java:76)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
	at org.sonar.server.platform.web.SecurityServletFilter.doHttpFilter(SecurityServletFilter.java:60)
	at org.sonar.server.platform.web.SecurityServletFilter.doFilter(SecurityServletFilter.java:47)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
	at org.sonar.server.platform.web.RedirectFilter.doFilter(RedirectFilter.java:56)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
	at org.sonar.server.platform.web.EndpointPathFilter.doFilter(EndpointPathFilter.java:47)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
	at org.sonar.server.platform.web.RequestIdFilter.doFilter(RequestIdFilter.java:66)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
	at org.sonar.server.platform.web.RootFilter.doFilter(RootFilter.java:65)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
	at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:115)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115)
	at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:268)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:397)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:905)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1741)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
	at java.base/java.lang.Thread.run(Thread.java:833)

Any idea why the upgrade from 10.8 to 2025.1.1 caused our Okta SSO config to fail and why with DEBUG logs we are not getting any additional information?

2

Fixed!

1.Go to Administration>Configuration>Authentication>SAML
2.Make sure to copy your settings
3.Disable configuration
4.Delete it
5.Create a new one
6.Paste the saved settings
7.Should be working normally.

Basically the update has messed with the configuration on the database side somehow, if you delete your SAML configuration and create a new one with the same parameters should make it work again!

1 Like