SAML authentication not working behind Azure Application Gateway

Version: SonarQube CE 8.6.0.39681

I have setup SonarQube behind Azure Application Gateway (AGW). Basically AGW is like a reverse proxy. AGW has a public IP address and it forwards requests to SonarQube and my other applications. Based on my experience with other applications, AGW sets the X-Forwarded-* headers correctly. SonarQube has a private IP address and hostname.

Now, I am trying to setup SAML authentication using Azure AD. Otherwise it works fine but the callback to SonarQube fails. I can see an error like this in the logs:

The response was received at https://sonarqube.private.example.com/oauth2/callback/saml instead of https://sonarqube.public.example.com/oauth2/callback/saml

I have set the SonarQube base URL as https://sonarqube.public.example.com. Clearly this is used to generate the callback URL (AssertionConsumerServiceURL) but not to validate the response.

How can I configure SonarQube to use the base URL / public hostname to validate the response?

There is a related question at Microsoft site -> https://docs.microsoft.com/en-us/answers/questions/152511/sending-saml-response-to-a-different-url.html. It looks to me that Azure AD does allow to change reply URL inside the message.