So @ganncamp and @julienlancelot, thinking through this, the AD FS (or even AAD) callback endpoint is configured here (see image) [we used: https://[fqdn]/oauth2/callback/saml].
]
(original poster rights reserved)
Although, we can come back later in a dialog box to add another endpoint, it does not (and would not be wise for obvious security reasons) for us to add an http version of this, http://[fqdn]/oauth2/callback/saml. Yet, this is what the error seems to say. Our backend endpoint is configured to http://[fqdn]:9000/ and our sonar.core.serverBaseURL property is https://[fqdn]. So, if anything, it seems that our response that is received would have been something like, http://[fqdn]:9000/oauth2/callack/saml instead of what we see in the error message below:
You’re not authorized to access this page. Please contact the administrator.
Reason: The response was received at http://[fqdn]/oauth2/callback/saml instead of https://[fqdn]/oauth2/callback/saml
So, I get it that you’re attempting to validate the validity of the endpoint, so that it’s not spoofed, but is there a way to do it without using the protocol as part of the comparison? Or have a configuration to allow the check or the protocol to be ignored? The system should realize that an http URI would be invalid (security wise) anyway, or is it (not sure of the intention or design)? Thoughts?