SAML authentication not working behind Azure Application Gateway

Version: SonarQube CE

I have setup SonarQube behind Azure Application Gateway (AGW). Basically AGW is like a reverse proxy. AGW has a public IP address and it forwards requests to SonarQube and my other applications. Based on my experience with other applications, AGW sets the X-Forwarded-* headers correctly. SonarQube has a private IP address and hostname.

Now, I am trying to setup SAML authentication using Azure AD. Otherwise it works fine but the callback to SonarQube fails. I can see an error like this in the logs:

The response was received at instead of

I have set the SonarQube base URL as Clearly this is used to generate the callback URL (AssertionConsumerServiceURL) but not to validate the response.

How can I configure SonarQube to use the base URL / public hostname to validate the response?

There is a related question at Microsoft site -> It looks to me that Azure AD does allow to change reply URL inside the message.