SAML Authentication Issue after Updating to v8.4

  • SonarQube Developer Edition v8.4

  • Running on Windows Server, using IIS reverse proxy

  • SAML authentication with Azure AD as the IDP, worked fine on each new version until v8.4.

  • You’re not authorized to access this page. Please contact the administrator. Reason: The response was received at http://localhost:9000/oauth2/callback/saml instead of https://****.com/oauth2/callback/saml

  • Set up SAML single sign on to authenticate with Azure AD as the IDP on v8.3, using IIS proxy - this works fine. Then upgrade to v8.4 - it breaks with the error above.

  • Currently had to go back to v8.3

Hi,

Welcome to the community!

There were some changes to SAML auth in 8.4 that we didn’t think would be a big deal. These other threads may help you:

 
HTH,
Ann

Hi Ann,

I note Brian in the first post found a resolution, using IIS proxy (which we are using), however I don’t understand the solution:

So, with IIS, the X_FORWARDED_FOR is HTTP_X_FORWARDED_FOR. IIS works perfectly with the ARR and Rewrite module for the Reverse Proxy and AD FS integration!

Any ideas where I can get further assistance with this?

My IIS web.config looks like this, as per the documentation:

                <serverVariables>
					<set name="ORIGINAL_URL" value="{HTTP_HOST}" />
                    <set name="X_FORWARDED_PROTO" value="https" />
                </serverVariables>

What needs to be changed?

Hi @cloudBrett,

The documentation doesn’t explicitly state any config for IIS (it links to this tutorial instead). I think the solution Brian stumbled upon is that HTTP headers in web.config need to be prefixed with HTTP_.

So, probably you would need something like:

<serverVariables>
  <set name="ORIGINAL_URL" value="{HTTP_HOST}" />
  <set name="HTTP_X_FORWARDED_PROTO" value="https" />
  <!-- Also maybe this one ? <set name="HTTP_X_FORWARDED_FOR" value="{HTTP_HOST}" /> -->
 </serverVariables>

Let us know if that helps.

Thanks, I’ll try that

@cloudBrett did this work for you? I am running into this problem after upgrading today.

Nope, this didn’t work for me. I added in both suggested variables and it returned http error 500.

I haven’t tried anything. I am waiting on our Azure AD guy to get back to me.

I’ve tried a few things.
Unfortunately going to have to revert back to version 8.3 again :frowning:

It’s a shame that solution was not more detailed.

Hi Brett,
Have you checked your Server Base URL (sonar.core.serverBaseURL) setting hasn’t been reset?

Yes, I’ve confirmed that the base URL is configured correctly.

I didn’t know what IIS was so I was a bit lost - I am on Linux. I was able to fix it with a single config in my Apache setup

ProxyPreserveHost On

Thanks @cpfort for explaining how you’ve fixed your issue.

FYI, what you’ve added is what is documented in the section “Securing the Server Behind a Proxy” in https://docs.sonarqube.org/latest/setup/operate-server/

1 Like

Hello there,

What about if Sonar is behind AWS ELB?

Any plans to fix the SAML issue witout messing around with headers, proxies and load balancers?

Phillip

i am also facing the same issue. In my case i am using apache httpd. It was working fine with 7.9.2 CE but when i upgrade 7.9.4 CE, i am facing SAML unauthorized issue.

Not sure it is related but it is worth checking that all your URLs are https instead of http.

Update from me: I’m in the progress of migrating from a Windows VM, and running SonarQube on an Azure app service, which negates the IIS requirement.

Hi Ann,

these late changes in Sonar SAML have been quite a big deal making our Sonar Developer License instance completely useless.

Kind regards,

Phillip

Hey all.

Hopefully this post can help out.