SAML authentication with Azure Active Directory on SonarQube 9.2.4 on AKS

xxsvk · November 2, 2022, 12:06pm

The problem with SAML occurs on SonarQube Community Edition Version 9.2.4 (build 50792). SonarQube is set up on the Azure Kubernetes AKS. SAML is edited via build-in possibility.

I want to enable SAML authentication with SonarQube and Azure AD. Currently, the option is enabled and once I try to use it, I receive, an error message: " You’re not authorized to access this page. Please contact the administrator."

I followed Microsoft and SonarQube instructions:
https://docs.sonarqube.org/latest/instance-administration/authentication/saml/azuread/
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-certificate-based-authentication

At this moment I receive such error logs:

2022-11-02 12:52:28	
2022-11-02T11:52:28.945740385Z stdout F 	at org.sonar.auth.saml.SamlIdentityProvider.newAuth(SamlIdentityProvider.java:141)
2022-11-02 12:52:28	
2022-11-02T11:52:28.945740385Z stdout F 	at org.sonar.auth.saml.SamlIdentityProvider.newAuth(SamlIdentityProvider.java:141)
2022-11-02 12:52:28	
2022-11-02T11:52:28.945736985Z stdout F 	at com.onelogin.saml2.Auth.<init>(Auth.java:308)
2022-11-02 12:52:28	
2022-11-02T11:52:28.945736985Z stdout F 	at com.onelogin.saml2.Auth.<init>(Auth.java:308)
2022-11-02 12:52:28	
2022-11-02T11:52:28.945733485Z stdout F Caused by: com.onelogin.saml2.exception.SettingsException: Invalid settings: idp_cert_or_fingerprint_not_found_and_required
2022-11-02 12:52:28	
2022-11-02T11:52:28.945733485Z stdout F Caused by: com.onelogin.saml2.exception.SettingsException: Invalid settings: idp_cert_or_fingerprint_not_found_and_required
2022-11-02 12:52:28	
2022-11-02T11:52:28.945137248Z stdout F 	at org.sonar.auth.saml.SamlIdentityProvider.init(SamlIdentityProvider.java:100)
2022-11-02 12:52:28	
2022-11-02T11:52:28.945137248Z stdout F 	at org.sonar.auth.saml.SamlIdentityProvider.init(SamlIdentityProvider.java:100)
2022-11-02 12:52:28	
2022-11-02T11:52:28.945133848Z stdout F 	at org.sonar.auth.saml.SamlIdentityProvider.newAuth(SamlIdentityProvider.java:143)
2022-11-02 12:52:28	
2022-11-02T11:52:28.945133848Z stdout F 	at org.sonar.auth.saml.SamlIdentityProvider.newAuth(SamlIdentityProvider.java:143)
2022-11-02 12:52:28	
2022-11-02T11:52:28.945126948Z stdout F 2022.11.02 11:52:28 WARN  web[AYQ1ucDQ6yY1cckcABht][o.s.s.a.AuthenticationError] Fail to initialize authentication with provider 'saml'
2022-11-02 12:52:28	
2022-11-02T11:52:28.945126948Z stdout F 2022.11.02 11:52:28 WARN  web[AYQ1ucDQ6yY1cckcABht][o.s.s.a.AuthenticationError] Fail to initialize authentication with provider 'saml'
2022-11-02 12:52:28	
2022-11-02T11:52:28.945123347Z stdout F 2022.11.02 11:52:28 ERROR web[AYQ1ucDQ6yY1cckcABht][c.o.saml2.Auth] Invalid settings: idp_cert_or_fingerprint_not_found_and_required
2022-11-02 12:52:28	
2022-11-02T11:52:28.945123347Z stdout F 2022.11.02 11:52:28 ERROR web[AYQ1ucDQ6yY1cckcABht][c.o.saml2.Auth] Invalid settings: idp_cert_or_fingerprint_not_found_and_required
2022-11-02 12:52:28	
2022-11-02T11:52:28.944495009Z stdout F 	at org.sonar.auth.saml.SamlIdentityProvider.init(SamlIdentityProvider.java:100)
2022-11-02 12:52:28	
2022-11-02T11:52:28.944495009Z stdout F 	at org.sonar.auth.saml.SamlIdentityProvider.init(SamlIdentityProvider.java:100)
2022-11-02 12:52:28	
2022-11-02T11:52:28.944491209Z stdout F 	at org.sonar.auth.saml.SamlIdentityProvider.initSettings(SamlIdentityProvider.java:201)
2022-11-02 12:52:28	
2022-11-02T11:52:28.944491209Z stdout F 	at org.sonar.auth.saml.SamlIdentityProvider.initSettings(SamlIdentityProvider.java:201)
2022-11-02 12:52:28	
2022-11-02T11:52:28.944487309Z stdout F 	at com.onelogin.saml2.settings.SettingsBuilder.build(SettingsBuilder.java:230)
2022-11-02 12:52:28	
2022-11-02T11:52:28.944487309Z stdout F 	at com.onelogin.saml2.settings.SettingsBuilder.build(SettingsBuilder.java:230)
2022-11-02 12:52:28	
2022-11-02T11:52:28.944483408Z stdout F 	at com.onelogin.saml2.settings.SettingsBuilder.build(SettingsBuilder.java:257)
2022-11-02 12:52:28	
2022-11-02T11:52:28.944483408Z stdout F 	at com.onelogin.saml2.settings.SettingsBuilder.build(SettingsBuilder.java:257)
2022-11-02 12:52:28	
2022-11-02T11:52:28.944479008Z stdout F 	at com.onelogin.saml2.settings.SettingsBuilder.loadIdpSetting(SettingsBuilder.java:321)
2022-11-02 12:52:28	
2022-11-02T11:52:28.944479008Z stdout F 	at com.onelogin.saml2.settings.SettingsBuilder.loadIdpSetting(SettingsBuilder.java:321)
2022-11-02 12:52:28	
2022-11-02T11:52:28.944475108Z stdout F 	at com.onelogin.saml2.settings.SettingsBuilder.loadCertificateFromProp(SettingsBuilder.java:716)
2022-11-02 12:52:28	
2022-11-02T11:52:28.944475108Z stdout F 	at com.onelogin.saml2.settings.SettingsBuilder.loadCertificateFromProp(SettingsBuilder.java:716)
2022-11-02 12:52:28	
2022-11-02T11:52:28.944471208Z stdout F 	at com.onelogin.saml2.settings.SettingsBuilder.loadCertificateFromProp(SettingsBuilder.java:694)
2022-11-02 12:52:28	
2022-11-02T11:52:28.944471208Z stdout F 	at com.onelogin.saml2.settings.SettingsBuilder.loadCertificateFromProp(SettingsBuilder.java:694)
2022-11-02 12:52:28	
2022-11-02T11:52:28.944466907Z stdout F 	at com.onelogin.saml2.util.Util.loadCert(Util.java:555)
2022-11-02 12:52:28	
2022-11-02T11:52:28.944466907Z stdout F 	at com.onelogin.saml2.util.Util.loadCert(Util.java:555)
2022-11-02 12:39:04	
2022-11-02T11:39:04.078704888Z stdout F 	at org.sonar.auth.saml.SamlIdentityProvider.newAuth(SamlIdentityProvider.java:141)
2022-11-02 12:39:04	
2022-11-02T11:39:04.078704888Z stdout F 	at org.sonar.auth.saml.SamlIdentityProvider.newAuth(SamlIdentityProvider.java:141)
2022-11-02 12:39:04	
2022-11-02T11:39:04.078701188Z stdout F 	at com.onelogin.saml2.Auth.<init>(Auth.java:308)
2022-11-02 12:39:04	
2022-11-02T11:39:04.078701188Z stdout F 	at com.onelogin.saml2.Auth.<init>(Auth.java:308)
2022-11-02 12:39:04	
2022-11-02T11:39:04.078697788Z stdout F Caused by: com.onelogin.saml2.exception.SettingsException: Invalid settings: idp_cert_or_fingerprint_not_found_and_required
2022-11-02 12:39:04	
2022-11-02T11:39:04.078697788Z stdout F Caused by: com.onelogin.saml2.exception.SettingsException: Invalid settings: idp_cert_or_fingerprint_not_found_and_required
2022-11-02 12:39:04	
2022-11-02T11:39:04.078090851Z stdout F 	at org.sonar.auth.saml.SamlIdentityProvider.init(SamlIdentityProvider.java:100)
2022-11-02 12:39:04	
2022-11-02T11:39:04.078090851Z stdout F 	at org.sonar.auth.saml.SamlIdentityProvider.init(SamlIdentityProvider.java:100)
2022-11-02 12:39:04	
2022-11-02T11:39:04.078086651Z stdout F 	at org.sonar.auth.saml.SamlIdentityProvider.newAuth(SamlIdentityProvider.java:143)
2022-11-02 12:39:04	
2022-11-02T11:39:04.078086651Z stdout F 	at org.sonar.auth.saml.SamlIdentityProvider.newAuth(SamlIdentityProvider.java:143)
2022-11-02 12:39:04	
2022-11-02T11:39:04.07807905Z stdout F 2022.11.02 11:39:04 WARN  web[AYQ1ucDQ6yY1cckcABfa][o.s.s.a.AuthenticationError] Fail to initialize authentication with provider 'saml'
2022-11-02 12:39:04	
2022-11-02T11:39:04.07807905Z stdout F 2022.11.02 11:39:04 WARN  web[AYQ1ucDQ6yY1cckcABfa][o.s.s.a.AuthenticationError] Fail to initialize authentication with provider 'saml'
2022-11-02 12:39:04	
2022-11-02T11:39:04.07807425Z stdout F 2022.11.02 11:39:04 ERROR web[AYQ1ucDQ6yY1cckcABfa][c.o.saml2.Auth] Invalid settings: idp_cert_or_fingerprint_not_found_and_required
2022-11-02 12:39:04	
2022-11-02T11:39:04.07807425Z stdout F 2022.11.02 11:39:04 ERROR web[AYQ1ucDQ6yY1cckcABfa][c.o.saml2.Auth] Invalid settings: idp_cert_or_fingerprint_not_found_and_required

Therefore, I used certificate Certificate (Base64) from Azure.

Can you advise and help what to do next to solve this issue?

ganncamp · November 3, 2022, 1:17pm

Hi,

We did some work on SAML in 9.7. Can you upgrade and see if the new configuration tester helps any?

Ann

xxsvk · November 3, 2022, 1:30pm

Thanks for the response. Actually, I tried with the latest version, but I got the same results. Any ideas from where such an error can come?

UPDATE:
Community Edition Version 9.7.1 (build 62043)
No changes

ganncamp · November 3, 2022, 2:29pm

Hi,

When you verify your SAML settings in the Admin interface, what’s the result?

Ann

xxsvk · November 4, 2022, 7:18am

Errors

Failed to create a SAML Auth due to: Invalid settings: idp_cert_or_fingerprint_not_found_and_required

Lucas

ganncamp · November 4, 2022, 11:37am

Hi Lucas,

It looks like you need to work on correcting your settings.

HTH,
Ann

xxsvk · November 4, 2022, 1:53pm

Currently, we have a such situation:
Sonar releases the request to AD → AD returns and in the logs, it is that login success → AD releases XML → Sonar is not able to check it

We took x.509 directly from Azure.portal as a base64 and we pasted that value directly to the SonarQube configuration.

Do you have any idea where is the problem?

ganncamp · November 4, 2022, 2:21pm

Hi,

Sorry, but we’re really not SAML experts.

Ann

Alexandre_Frigout · November 16, 2022, 2:00pm

Hello,
We had a similar case where the customer opened the certificate using vi and removed spaces contained in it. It fixed his issue.
Can you try that?
Alex.

xxsvk · November 24, 2022, 8:26am

I will try for sure, and let you know. thanks

xxsvk · December 14, 2022, 6:46am

@Alexandre_Frigout sorry for the late and delayed response. Unfortunately, it didn’t help. I did not find any spaces, I even removed newlines, but I got the same result: * Failed to create a SAML Auth due to: Invalid settings: idp_cert_or_fingerprint_not_found_and_required

I am taking this certificate from Azure Active Directory:

Just wanted to double confirm

Deena_dhayalan · October 16, 2023, 10:47am

Hi lukaz

Are you solved this issue,Im also facing same issue,If you have fixed can you give the solution?