SAML CSRF state value is invalid

manojreddy · April 17, 2020, 1:21pm

Hi Guys,

We have integrated Sonarqubw with SAML integration. Getting an error while login.
Logs below:

2020.04.17 11:06:09 DEBUG web[AXGDNwSHGiojiL7hAAQL][c.o.saml2.Auth] processResponse success --> PHNhbWxwOlJlc3BvbnNlIFZlcnNpb249IjIuMCIgSUQ9InVkZy1uckxMV2suQ3J2NjEyaHdmU0pyc1JfcCIgSXNzdWVJbnN0YW50PSIyMDIwLTA0LTE3VDExOjA2OjA4LjkyNloiIHhtbG5zOnNhbWxwPSJ1
2020.04.17 11:06:09 TRACE web[AXGDNwSHGiojiL7hAAQL][sql] time=1ms | sql=select p.prop_key as "key", p.is_empty as empty, p.text_value as textValue, p.clob_value as clobValue, p.resource_id as resourceId, p.user_id as userId from properties p where p.prop_key=? and p.resource_id is null and p.user_id is null | params=sonar.auth.saml.providerName
2020.04.17 11:06:09 DEBUG web[AXGDNwSHGiojiL7hAAQL][auth.event] login failure [cause|CSRF state value is invalid][method|OAUTH2][provider|EXTERNAL|SAML][IP|10.120.3.58|10.68.132.131][login|]
2020.04.17 11:06:10 TRACE web[AXGDNwSHGiojiL7hAAQM][o.s.s.u.UserSessionFilter] Thread[http-nio-0.0.0.0-9000-exec-4,5,main] serves /sonarqube/sessions/unauthorized
2020.04.17 11:06:10 TRACE web[AXGDNwSHGiojiL7hAAQN][o.s.s.u.UserSessionFilter] Thread[http-nio-0.0.0.0-9000-exec-5,5,main] serves /sonarqube/api/navigation/global

This is in browser
You’re not authorized to access this page. Please contact the administrator.
Reason: CSRF state value is invalid
Can anyone help
Thanks!!
Manoj

julienlancelot · May 4, 2020, 3:34pm

Hi,

First of all, which authentication system are you using to do the SAML authentication ?
Then, could you please check in your proxy that you’re not disabling cookies using HTTP only flag to false ?

Regards

manojreddy · May 6, 2020, 3:25pm

Hi julien,

We are using SAML PINGFederate,
All the cookies are enabled.

We are doing a POC to procure.

Please assist.

Thanks!!
Manoj

manojreddy · May 18, 2020, 4:50am

Hi Julien,

Eagerly waiting for your assistance.

Thank you!!
Regards,
Manoj

julienlancelot · May 18, 2020, 7:43am

Hi,

This issue is strange, could you please check that the following cookie exist : XSRF-TOKEN

Thanks

James_Elliott · April 22, 2021, 6:51am

@manojreddy did you solve this in the end? We’re experiencing the same issue.

pandey4u · February 4, 2022, 8:46pm

Any one found solution to the XSRF/CSRF issue?

saravana_kumar1 · February 8, 2022, 7:38pm

Stuck with the same issue… Can anyone shed some light on this?

Himanshu_Agrawal · October 14, 2022, 4:45am

Hello Community,

Not sure what is the cause of the issue here that you have mentioned. If you are still facing an issue, I recommend you to try out the miniOrange SAML Plugin for SonarQube.

You can refer to this document - mO SonarQube SSO 3 to get started with the configuration. This is a full-fledged plugin which is rich in features, and provides all the necessary options to get started with SAML setup.

You can also reach out to us at support-atlassian@miniorange.atlassian.net if you face any issues. We’ll be happy to help.

Thanks,
Himanshu

fengnq · December 21, 2022, 11:04am

Hi, we had the same problem while we were implementing our own idP on SAML protocol.
We solved the problem after we realized that we missed the “RelayState” parameter while idP sends assertions to SonarQube. The OneLogin SAML toolkit used by SonarQube did not check that parameter, but SonarQube did, just after the toolkit returned a successful authentication. And that’s why we all get a log message “processResponse success” which was logged by the toolkit.
We adjusted our code to return the same “RelayState” parameter which was submitted by SonarQube previously. Then everything worked fine.