SAML Configuration

authentication
saml
(cebmac) #1

Sonarqube - Version 7.7 (build 23042)
Plugin - SAML 2.0 Authentication for SonarQube - 1.1.0 (build 181) installed

I see that in the above the name ID attribute is validated but still i get the error

2019.04.03 19:58:08 DEBUG web[AWnkd+DSnP+/d6ZtAAEU][o.a.x.s.s.Reference] Verification successful for URI "#_da88a392-8758-4ad7-af23-e5d034961f1f"
2019.04.03 19:58:08 DEBUG web[AWnkd+DSnP+/d6ZtAAEU][o.a.x.s.s.Manifest] The Reference has Type 
2019.04.03 19:58:08 DEBUG web[AWnkd+DSnP+/d6ZtAAEU][c.o.s.a.SamlResponse] SAMLResponse validated --> <

**Error:**

2019.04.03 19:58:08 WARN  web[AWnkd+DSnP+/d6ZtAAEU][o.s.s.a.AuthenticationError] Fail to callback authentication with 'saml'
java.lang.IllegalStateException: Fail to process response
	at org.sonarsource.auth.saml.SamlIdentityProvider.processResponse(SamlIdentityProvider.java:139)
	at org.sonarsource.auth.saml.SamlIdentityProvider.callback(SamlIdentityProvider.java:107)
	at org.sonar.server.authentication.OAuth2CallbackFilter.handleOAuth2Provider(OAuth2CallbackFilter.java:98)
	at org.sonar.server.authentication.OAuth2CallbackFilter.handleProvider(OAuth2CallbackFilter.java:78)
	at org.sonar.server.authentication.OAuth2CallbackFilter.doFilter(OAuth2CallbackFilter.java:71)
	at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:126)
	at org.sonar.server.platform.web.MasterServletFilter.doFilter(MasterServletFilter.java:95)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.sonar.server.user.UserSessionFilter.doFilter(UserSessionFilter.java:87)
	at org.sonar.server.user.UserSessionFilter.doFilter(UserSessionFilter.java:71)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.sonar.server.platform.web.CacheControlFilter.doFilter(CacheControlFilter.java:76)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.sonar.server.platform.web.SecurityServletFilter.doHttpFilter(SecurityServletFilter.java:76)
	at org.sonar.server.platform.web.SecurityServletFilter.doFilter(SecurityServletFilter.java:48)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.sonar.server.platform.web.RedirectFilter.doFilter(RedirectFilter.java:61)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.sonar.server.platform.web.requestid.RequestIdFilter.doFilter(RequestIdFilter.java:63)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.sonar.server.platform.web.RootFilter.doFilter(RootFilter.java:62)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:109)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:256)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)
Caused by: com.onelogin.saml2.exception.ValidationError: No name id found in Document.
	at com.onelogin.saml2.authn.SamlResponse.getNameIdData(SamlResponse.java:477)
	at com.onelogin.saml2.authn.SamlResponse.getNameId(SamlResponse.java:491)
	at com.onelogin.saml2.Auth.processResponse(Auth.java:527)
	at com.onelogin.saml2.Auth.processResponse(Auth.java:557)
	at org.sonarsource.auth.saml.SamlIdentityProvider.processResponse(SamlIdentityProvider.java:137)
	... 48 common frames omitted
2019.04.03 19:58:08 TRACE web[AWnkd+DSnP+/d6ZtAAEV][o.s.s.u.UserSessionFilter] Thread[http-nio-0.0.0.0-9000-exec-2,5,main] serves /sessions/unauthorized
(Wouter Admiraal) #3

Hi @cebmac,

The Name ID is not required in a SAML response, hence the OneLogin SAML toolkit marks the validation as “passed”. However, SonarQube still requires a Name ID, which is why it fails a little later in the execution.

I would double check your IdP, and make sure a NameID is provided. You can try some debugger tools which can sniff the SAML payload which is sent back and forth between the IdP and the SP.

1 Like
(cebmac) #4

@Wouter_Admiraal Thank you for responding. Below is the saml response.

</ds:Signature>

cebmac

<SubjectConfirmationData NotOnOrAfter=“2019-04-03T03:35:20.927Z”

Recipient=“https://sonarqube.svc.aws.mac.com” />

<Conditions NotBefore=“2019-04-03T03:30:20.927Z”

NotOnOrAfter=“2019-04-03T04:30:20.927Z”>

sonarqube

MAC,ceb

cebmac@company.com

cebmac

  </Attribute>
<AuthnStatement AuthnInstant="2019-04-03T03:00:23.422Z"
(Wouter Admiraal) #5

Did you intend to mark this as resolved? If so, what is the resolution :sweat_smile:?

If not, the payload you provided is far from complete. But either way, as long as you don’t have a NameID element, it’s not valid for SonarQube. Check your IdP settings.

(cebmac) #6

Thanks. This fixed the issue.