SAML Authentication Failure in Sonarqube 2025.1 LTA Version

SonarQube Server / Community Build
1
  • Versions(SonarQube Enterprise Edition - 2025.1 LTA)
  • SonarQube deployed: Helm
  • Trying to achieve : Enable SAML Authentication
  • Tried so far to achieve this : Configured Sonar Settings and enabled SAML settings

Hi All,

The New version of SonarQube v2025.1 is suppose to enable SAML based Authentication to users to access SonarQube Portal and its configured with mandatory settings suggested in Sonar documentation

https://docs.sonarsource.com/sonarqube-server/2025.1/instance-administration/authentication/saml/overview/

  1. After enabling SAML we are facing error as mentioned below.
    Note: Saml Sign requests is disabled. If this is enabled then only
    Private key and public cert need to be specified
    Error:
    Processing of request /saml/validation?CSRFToken=xxxxxxx failed
    java.lang.IllegalArgumentException: Error while loading PKCS8
    private key, please check the format

  2. The sonar Setting “sonar.auth.saml.certificate.secured” is added with respective X.509 certificate to authenticate SAML already.

Questions:

  1. sonar.auth.saml.signature.enabled is set to false. Still why sonarqube is trying to search for Privatekey? As per documentation Privatekey will come into picture if above setting is set to True

  2. What is the format of certifcate should be configured for setting “sonar.auth.saml.certificate.secured” ?

    • Plain Text ?
    • Actual Certificate value ?
    • Certificate value in single line with —BEGIN CERTIFICATE-- & —END
      CERTIFICATE-- ?
    • Base64 Encoded Cert value?
    • Encrypted Certificate ?
4

Hello @rvk,

Welcome to the community. I understand that you have set sonar.auth.saml.signature.enabled setting to false. Can you please tell me if you have set either of these settings?

  1. sonar.auth.saml.sp.privateKey.secured
  2. sonar.auth.saml.sp.certificate.secured

You would need to clear these settings as well from the configuration.

We have this ticket - Jira to improve the situation on the UI when service provider key and certificate are passed. The fix will be available in 2025.3.

For you as a workaround you can manually call the /api/settings/reset POST API with keys param: sonar.auth.saml.sp.privateKey.secured,sonar.auth.saml.sp.certificate.secured

As for the second question for the certificate it must be encoded in PEM or CER format. For example it should look something like this:

-----BEGIN CERTIFICATE-----
MIICMzCCAZygAwIBAgIJALiPnVsvq8dsMA0GCSqGSIb3DQEBBQUAMFMxCzAJBgNV
BAYTAlVTMQwwCgYDVQQIEwNmb28xDDAKBgNVBAcTA2ZvbzEMMAoGA1UEChMDZm9v
MQwwCgYDVQQLEwNmb28xDDAKBgNVBAMTA2ZvbzAeFw0xMzAzMTkxNTQwMTlaFw0x
ODAzMTgxNTQwMTlaMFMxCzAJBgNVBAYTAlVTMQwwCgYDVQQIEwNmb28xDDAKBgNV
BAcTA2ZvbzEMMAoGA1UEChMDZm9vMQwwCgYDVQQLEwNmb28xDDAKBgNVBAMTA2Zv
bzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzdGfxi9CNbMf1UUcvDQh7MYB
OveIHyc0E0KIbhjK5FkCBU4CiZrbfHagaW7ZEcN0tt3EvpbOMxxc/ZQU2WN/s/wP
.
.
.
-----END CERTIFICATE-----

Hope this helps!

Cheers,
Sarath