SAML configuration with Azure

Must-share information (formatted with Markdown):

  • Enterprise Edition, version 10.4.1 (build 88267)

I am trying to setup a SAML configuration between Azure and my instance of SonarQube, but while trying to setup the application from Azure following those instructions

Step 4: Configure the Admin Credentials section as follows:

  • Tenant Url: myinstance/api/scim/v2
  • Secret token: Paste a SonarQube user token for an admin account in this field. For safety reasons, we recommend using a token from a local admin account (not managed through SCIM).

Testing such configuration I got the following message:

You appear to have entered invalid credentials. Please confirm you are using the correct information for an administrative account.
Error code: SystemForCrossDomainIdentityManagementCredentialValidationUnavailable
Details: We received this unexpected response from your application:
Message: An error occurred while sending the request.

I am not sure if this is the case, but maybe the root cause could be related to the fact that myinstance/api/scim/v2 endpoint is not available, so maybe there is something wrong with such configuration.

{
    "errors": [
        {
            "msg": "Unknown url : /api/scim/v2"
        }
    ]
}

This is similar to what has been shared [SOLVED] Okta SCIM Endpoint Missing from 9.8 - SonarQube - Sonar Community (sonarsource.com) but I didn’t get how it has been solved.

From the sonarqube administration panel I see that the token has never been used, so I assume that the problem is with the endpoint described so far.
Any help is appreciated.

Hey there!

What does this URL return for you?

myinstance.com/api/scim_management/status

Hi Colin,
it returns that it is enabled.

{
    "enabled": true
}

Thank you.

I can tell you that the issue isn’t with the endpoint – it just isn’t complete (I expect you’ll get a real response by asking for https://<myinstance>/api/scim/v2/Users).

I would first suggest checking to see if the request from Azure ever makes it to SonarQube at all. You should be able to confirm this looking in your instance’s access.log

Checking with the suggested endpoint I got an answer

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ],
    "itemsPerPage": 100,
    "totalResults": 0,
    "startIndex": 1,
    "Resources": []
}

anyhow looking at the file I can’t see any occurrences about such connection from Azure.
access.2024-03-15.log (951.3 KB)
I can see just some I did (with postman) which returns 404, but please have a look, maybe I am wrong.
That said, which should be the right endpoint to use?

1 Like

I am using 9.9 LTS enterprise edition. When I tried accessing https://<myinstance>/api/scim/v2/Users

I am getting the following response : {“schemas”:[“urn:ietf:params:scim:api:messages:2.0:ListResponse”],“itemsPerPage”:100,“totalResults”:0,“startIndex”:1,“Resources”:}

While I have enabled SCIM (de)provisioning in SAML authentication.

When tried to test configuration on Azure Portal. It gives the following error.
image

it seems we are getting the same answer but so far I did not get how to fix this.

You’re using the right endpoint – it just isn’t valid by itself (auth providers integrating with SCIM know to add that last part).

If the request is never making it to SonarQube, it sounds like a connectivity issue.

However, looking at posts like this one, there are usually more details with the failure. Do you not receive any of those?

Received response from Web resource.
Resource: https://url /scim/Users?filter=userName+eq+“b449d6dd-188d-40e7-91c7-d5cda6a595cf”
Operation: GET
Response Status Code: NotImplemented
…

Do y’all not receive any of that info?

No, I don’t see any of those.

Anyhow the need to have such configuration is to enable the following:

From SonarQube panel as administrator I can’t change the permission of a specific user untill the user does not perform the first login.

That’s why I want to have from such configuration to the one described here:

SCIM provisioning with Azure AD

Hi Colin/Prisco , I am getting exactly the same error. Irony is that I deployed enterprise in dev container 2 weeks back and it got integrated with SCIM but when I do that with prod environment, it doesn’t work.

Other strange thing I notice is that dev has following type to create tokens:

  • User Token

but prod has

  • User Token
  • Global Analysis Token

Both of the deployments dev and prod are running on

  • Enterprise Edition
  • Version 10.4 (build 87286)

Please suggest

We were able to integrate with Azure AD using SAML but SCIM for provisioning fails. We do not see any error in access.log but since SAML worked, I think network is ok else SAML integration will fail. Please suggest.

I still haven’t found the solution but I expect that there are network issues as it has been mentioned so far.

The reason for that is I don’t find any entries in the access.log, instead, I see those when I try by making a curl request towards such endpoint.

Hi Prisco, We identified the problem. It was the WAF that we had infront of our Loadbalancer. We had to update the waf rules. May be if you are using the WAF as well then try removing it.

Let me know if it solves the issue.