- which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
- SonarQube 10.7 Community Edition
- how is SonarQube deployed: zip, Docker, Helm
- zip
- what are you trying to achieve
- SAML Authentication with Microsoft Entra ID (Azure AD)
Hi,
We had SonarQube configured correctly, allowing the users to log into our SonarQube instance with SAML. Now, all of our SAML user accounts are unable to log into SonarQube. Logging in with credentials is still working.
Possible Cause: We had a domain change recently from @​OldCompanyName to @​​NewCompanyName. This changed our emails and log in credentials but not our company URLs. SonarQube was still working after the domain change, it was only a little while afterwards that it suddenly became an issue.
These are the issues we are seeing:
When logged out on the SonarQube homepage
Action: Click the Log in with SAML button
Result: The page reloads and takes the user back to the Log in to SonarQube screen
When logged into SonarQube using an admin account with credentials
Action: Click the Test configuration button
Result: A new tab opens with a SonarQube 404 error which says “The page you were looking for does not exist”
When on the Azure Portal, on the Test single sign-on screen
Action: Click Test sign in button
Result: A new tab opens with a SonarQube unauthorized screen which says “You’re not authorized to access this page. Please contact the administrator.” There’s a link to take you to the SonarQube home screen
Fixes attempted:
- Updating the users email from the old email to their new email using the SonarQube API. This didn’t break logins (This was done before we had the issue)
- Changing the users email back to their old email (This was done after we had the issue)
- Reconfiguring SonarQube SAML Configuration (This was done after we had the issue)
Fixes NOT attempted:
- Deleting the SonarQube application within the Azure Portal and setting it up from scratch (I don’t have permissions to do this)
I have included our (censored) Azure Portal and SonarQube SAML configurations.
SonarQube SAML Configuration:
Application ID
sonarqube
Provider Name
Biotronics3D
Provider
https​://sts.windows.net/{GUID from Azure Portal}/ (Microsoft Entra Identifier)
SAML login url
https​://login.microsoftonline.com/{GUID from Azure Portal}/saml2 (Login URL)
Identity provider certificate
Certificate (Base64) as text from Azure Portal
SAML user login attribute
http​://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
SAML user name attribute
http​://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
SAML user email attribute
http​://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
SAML group attributeSign requests
Off
Azure Portal:
Basic SAML Configuration
Identifier (Entity ID)
sonarqube
Reply URL (Assertion Consumer Service URL)
https​://sonarqube.{company}.com/oauth2/callback/saml
Sign on URL
Optional
Relay State (Optional)
Optional
Logout Url (Optional)
Optional
Attributes & Claims
Token signing certificate
Status
Active
Thumbprint
{40 character string}
Expiration
24/04/2027, 12:32:06
Notification Email
{Support Email}
App Federation Metadata Url
https​://login.microsoftonline.com/{GUID from Azure Portal}/federationmetadata/2007-06/federationmetadata.xml?appid={App ID GUID}
etc
Verification certificates (optional)
Required
No
Active
0
Expired
0
Set up SonarQubeSAML
Login URL
https​://login.microsoftonline.com/{GUID from Azure Portal}/saml2
Microsoft Entra Identifier
https​://sts.windows.net/{GUID from Azure Portal}/
Logout URL
https​://login.microsoftonline.com/{GUID from Azure Portal}/saml2
Looking forward to hearing from you.
Meta: I’ve had to add a Zero-Width Space (ZWSP) Character ​ to the links and domains as it was preventing me from making this post. The actual configuration does not contain this character.
Many thanks,
Elias