SAML authentication not working behind Azure Application Gateway

mikkolaakko · January 8, 2021, 4:07pm

Version: SonarQube CE 8.6.0.39681

I have setup SonarQube behind Azure Application Gateway (AGW). Basically AGW is like a reverse proxy. AGW has a public IP address and it forwards requests to SonarQube and my other applications. Based on my experience with other applications, AGW sets the X-Forwarded-* headers correctly. SonarQube has a private IP address and hostname.

Now, I am trying to setup SAML authentication using Azure AD. Otherwise it works fine but the callback to SonarQube fails. I can see an error like this in the logs:

The response was received at https://sonarqube.private.example.com/oauth2/callback/saml instead of https://sonarqube.public.example.com/oauth2/callback/saml

I have set the SonarQube base URL as https://sonarqube.public.example.com. Clearly this is used to generate the callback URL (AssertionConsumerServiceURL) but not to validate the response.

How can I configure SonarQube to use the base URL / public hostname to validate the response?

mikkolaakko · January 14, 2021, 7:42am

There is a related question at Microsoft site -> https://docs.microsoft.com/en-us/answers/questions/152511/sending-saml-response-to-a-different-url.html. It looks to me that Azure AD does allow to change reply URL inside the message.

Thushma_Nair · May 25, 2021, 11:11am

Any luck on this? We are in similar situation, the IdP here is PingID and the Appgateway is set on Azure.

mikkolaakko · June 4, 2021, 7:23am

No, I suppose it would work if we used the same hostname in AGW and SonarQube.

Thushma_Nair · June 10, 2021, 4:52pm

We got it working, you will need to change the HTTP setting of the App gateway to pick it up from a domain name and also we had to change the provider ID (if PingID is the IdP) on SonarQube app

Mahesh_T_Venkatraman · September 21, 2021, 1:58am

@Thushma_Nair : Can you please elaborate on the configuration you did to get this working. I have a similar situation. Thanks.