SAML error after upgrade to 8.4

I recently upgrading to 8.4 and I am now unable to log on using SAML.

The release notes state “This could reveal a non-standard configuration that needs to be updated.”

The error message i get is:

2020.07.07 04:49:33 ERROR web[AXMnjbQn6g4l3XB1AAE6][c.o.s.a.SamlResponse] The response was received at http://sonar.mydomain.io:9000/oauth2/callback/saml instead of https://sonar.mydomain.io/oauth2/callback/saml

I am not sure where Sonar is constructing this callback url. There is nothing in the General Settings > Security > settings page.

General Settings > Base URL is set to “https://sonar.mydomain.io

My SAML IDP is G Suite.

Hi @Rob_White,

Have you correctly configured your reverse proxy as described in the “HTTPS Configuration” section of
https://docs.sonarqube.org/latest/setup/operate-server/ ?

Regards,
Julien Lancelot

Hi Julien,

Yep, I am using nginx and setting the following:

proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto https;

location / {
        set $backend "http://sonarqube.app.internal.net:9000";
        proxy_pass $backend$request_uri;
    }

$backend resolves to the sonarqube server.

Debug logs enabled:

|2020.07.08 02:54:01 DEBUG web[AXMnjbQn6g4l3XB1AEWU][auth.event] login failure [cause|The response was received at http://sonar.mydomain.io:9000/oauth2/callback/saml instead of https://sonar.mydomain.io/oauth2/callback/saml][method|OAUTH2][provider|EXTERNAL|Google SAML][IP|10.119.4.164|61.69.205.18, 10.119.4.51][login|]|
| --- | --- | --- | --- | --- | --- | --- | --- |
|2020.07.08 02:54:01 DEBUG web[AXMnjbQn6g4l3XB1AEWU][c.o.saml2.Auth] --> PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+PHNhbWwycDpSZXNwb25zZSB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgRGVzdGluYXRpb249Imh0dHBzOi8vc29uYXIucWFudGFzbG95YWx0eS5pby9vYXV0aDIvY2FsbGJhY2svc2FtbCIgSUQ9Il8wNWVlZTRjNzRiOTAzYWFmYjczMjU2MzhhYzAyMTY4YiIgSW5SZXNwb25zZVRvPSJPTkVMT0dJTl9iZmM3NTBkNS1hYzg5LTRmY2ItYWM0My00NmJkNjA3MzRjMWQiIElzc3VlSW5zdGFudD0iMjAyMC0wNy0wOFQwMjo1NDowMC44ODRaIiBWZXJzaW9uPSIyLjAiPjxzYW1sMjpJc3N1ZXIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL3NhbWwyP2lkcGlkPUMwMWcxbDVkbzwvc2FtbDI6SXNzdWVyPjxzYW1sMnA6U3RhdHVzPjxzYW1sMnA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1sMnA6U3RhdHVzPjxzYW1sMjpBc3NlcnRpb24geG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfNmQ1NmUzODk1ZjUwOTk4NTI5ZTk0ZTY4MmFkNTE4NjYiIElzc3VlSW5zdGFudD0iMjAyMC0wNy0wOFQwMjo1NDowMC44ODRaIiBWZXJzaW9uPSIyLjAiPjxzYW1sMjpJc3N1ZXI+aHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tL28vc2FtbDI/aWRwaWQ9QzAxZzFsNWRvPC9zYW1sMjpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIvPjxkczpSZWZlcmVuY2UgVVJJPSIjXzZkNTZlMzg5NWY1MDk5ODUyOWU5NGU2ODJhZDUxODY2Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiLz48ZHM6RGlnZXN0VmFsdWU+OUZVclo3aGRvS1l1SnRoRXZhWlREUmFEK2VZc0ViVUZndm5YYzFxREtuYz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+TmNtaTZSNlA5Y3pRSG5GM1F1bE5XcFF6SzBJVFV0OU5SQXlFOW84dGNUTkJWZzE5aDRGWk1zSnJzTWVSVGxxMjFpTTRNcTZrdkt4YQp4bC9RcFFtdGw3T2pQbWVVZTVIV3g4YlUwcXVENzQySjN1REZzMURkK0lTeHJXOTQwVzJqZE82ZFY3RW9PSDZhWXQzZ3ZOVG5KT0VQCi92SmkxQ3l2OGczaFhuVS9rZGRsVVQ4Wm9QQ0RRYks1L0tjM1JpY212enpicHprenZIbmttUEVKNnZGU2RQTWg4Z1BoU2pKTWVLQlIKNXZXY3BLOERzR2wxUGRZUURtNTdHQUpZMDE4bUh2amphLzhmTjd2VVl3akh3U0FOT3lzRGxOYW90dWQzdjNUQjlkNXNKWDk4V3B1bApoYy8rNktQa3cyNUVQNFVpbFlBemM2dTBjbUVhVUMyYUZHV3dTZz09PC9kczpTaWduYXR1cmVWYWx1ZT48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlTdWJqZWN0TmFtZT5TVD1DYWxpZm9ybmlhLEM9VVMsT1U9R29vZ2xlIEZvciBXb3JrLENOPUdvb2dsZSxMPU1vdW50YWluIFZpZXcsTz1Hb29nbGUgSW5jLjwvZHM6WDUwOVN1YmplY3ROYW1lPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJRGREQ0NBbHlnQXdJQkFnSUdBVkhNcG9Qa01BMEdDU3FHU0liM0RRRUJDd1VBTUhzeEZEQVNCZ05WQkFvVEMwZHZiMmRzWlNCSgpibU11TVJZd0ZBWURWUVFIRXcxTmIzVnVkR0ZwYmlCV2FXVjNNUTh3RFFZRFZRUURFd1pIYjI5bmJHVXhHREFXQmdOVkJBc1REMGR2CmIyZHNaU0JHYjNJZ1YyOXlhekVMTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVENrTmhiR2xtYjNKdWFXRXdIaGNOTVRVeE1qSXoKTURJeU5EQXhXaGNOTWpBeE1qSXhNREl5TkRBeFdqQjdNUlF3RWdZRFZRUUtFd3RIYjI5bmJHVWdTVzVqTGpFV01CUUdBMVVFQnhNTgpUVzkxYm5SaGFXNGdWbWxsZHpFUE1BMEdBMVVFQXhNR1IyOXZaMnhsTVJnd0ZnWURWUVFMRXc5SGIyOW5iR1VnUm05eUlGZHZjbXN4CkN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUlFd3BEWVd4cFptOXlibWxoTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEEKTUlJQkNnS0NBUUVBbVVsYWpQa1lWblVhR2x3ODIvQXpNSGVqMktlUGpaWmgwTVZqL3U1bTFLQXh0bGpaZXBxWldRVTNaemlublAzYQp6cEp3OWIvMjJTWjR0Z2lHSkQxQ2pCakxzekpGK0Y0N0lQTnl0eGV2Y1hzK3VKZjhCNWtScU1pMWpjYjNqaWlJZVFEUzBEK2JPeitkCnVMN3RZL1dESGVBbnR4dS9ONWVpOVFVK05yK1FUMldLZk5lWFI0eVVKcjVoVzM4NE81Q2xDZnVCTDNJQ2ZyaUlvWElwSkdBMGlnUTgKQnJzaWIxUnYvNk5HaHFBVk43U29oVjgzMTRxSlcyUXBDcGRmQXhRTUR6UW9YWkI3LzhkWFZHaEpQVjdXZkhMWnBHTUFQZm1leTJBTQp3Z29jdmszdkFCcUFCd0EyQTNUU2I4a2J1TDVtUnNBa0dBRDR2LzV2Z0IxVy9QS05pd0lEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBCkE0SUJBUUFXdThmVk9oK2didzFJVExlT2h0SDAyNFZxRE5oZStKOXJsQmpNcDZLZmVLUWFYRTJNays4NWxSWGZqVVVobFkwM3hSbWMKNVUyN2RGeFZsZWV1U0JwWXNCdnlSWnZTbTQ0cVY3bUNpdzR3OGFsOHRrSkQ0cVNDQ25yWmRZSldrK0tqNjNUQXc4Y2F5QU5ydU8wdgpPdVhUSUtmMmhEa2ppMWJmdGl0U2M1Ty9qcXBhQkVEZVYzYWNHTlNQOEFNNTg3Zkd3L1lBejhxRE4wbUxkckJGTy9hMForTzJGbG96CktncmdyUEdsWEt3ZlAxUmM1S3JFYkxzaytDNGRiRkVXc0hNK3Z2TGhGdEFlRzRncXdmZ2lMcjlxcTBpcFN3dS9jNldYYlVFMXdtQVQKNEt4UE9vb2xBdDhKZGJmVUNUbXU2ZWtsMWh0eEpoQVByclB5MnE2aGFqNkg8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiPnJvYi53aGl0ZUBxYW50YXNsb3lhbHR5LmNvbTwvc2FtbDI6TmFtZUlEPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iT05FTE9HSU5fYmZjNzUwZDUtYWM4OS00ZmNiLWFjNDMtNDZiZDYwNzM0YzFkIiBOb3RPbk9yQWZ0ZXI9IjIwMjAtMDctMDhUMDI6NTk6MDAuODg0WiIgUmVjaXBpZW50PSJodHRwczovL3NvbmFyLnFhbnRhc2xveWFsdHkuaW8vb2F1dGgyL2NhbGxiYWNrL3NhbWwiLz48L3NhbWwyOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sMjpTdWJqZWN0PjxzYW1sMjpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAyMC0wNy0wOFQwMjo0OTowMC44ODRaIiBOb3RPbk9yQWZ0ZXI9IjIwMjAtMDctMDhUMDI6NTk6MDAuODg0WiI+PHNhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWwyOkF1ZGllbmNlPnNvbmFycXViZTwvc2FtbDI6QXVkaWVuY2U+PC9zYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDI6Q29uZGl0aW9ucz48c2FtbDI6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0ibmFtZSI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOmFueVR5cGUiPlJvYjwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJlbWFpbCI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOmFueVR5cGUiPnJvYi53aGl0ZUBxYW50YXNsb3lhbHR5LmNvbTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJncm91cHMiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czphbnlUeXBlIj5zb25hci1hZG1pbmlzdHJhdG9yczwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PC9zYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWwyOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAyMC0wNy0wN1QwMDoyODozNC4wMDBaIiBTZXNzaW9uSW5kZXg9Il82ZDU2ZTM4OTVmNTA5OTg1MjllOTRlNjgyYWQ1MTg2NiI+PHNhbWwyOkF1dGhuQ29udGV4dD48c2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6dW5zcGVjaWZpZWQ8L3NhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDI6QXV0aG5Db250ZXh0Pjwvc2FtbDI6QXV0aG5TdGF0ZW1lbnQ+PC9zYW1sMjpBc3NlcnRpb24+PC9zYW1sMnA6UmVzcG9uc2U+|
|2020.07.08 02:54:01 ERROR web[AXMnjbQn6g4l3XB1AEWU][c.o.saml2.Auth] processResponse error. invalid_response|
|2020.07.08 02:54:01 ERROR web[AXMnjbQn6g4l3XB1AEWU][c.o.s.a.SamlResponse] The response was received at http://sonar.mydomain.io:9000/oauth2/callback/saml instead of https://sonar.mydomain.io/oauth2/callback/saml|
|2020.07.08 02:54:01 DEBUG web[AXMnjbQn6g4l3XB1AEWU][c.o.saml2.Auth] Settings validated|
|2020.07.08 02:54:00 DEBUG web[AXMnjbQn6g4l3XB1AEWT][c.o.saml2.Auth] AuthNRequest sent to https://accounts.google.com/o/saml2/idp?idpid=redacted --> redacted
|2020.07.08 02:54:00 DEBUG web[AXMnjbQn6g4l3XB1AEWT][c.o.saml2.Auth] Settings validated|
|2020.07.08 02:54:01 DEBUG web[AXMnjbQn6g4l3XB1AEWU][c.o.s.a.SamlResponse] SAMLResponse invalid --> <?xml version="1.0" encoding="UTF-8" standalone="no"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://sonar.mydomain.io/oauth2/callback/saml" ID="_05eee4c74b903aafb7325638ac02168b" InResponseTo="ONELOGIN_bfc750d5-ac89-4fcb-ac43-46bd60734c1d" IssueInstant="2020-07-08T02:54:00.884Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=redacted</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_6d56e3895f50998529e94e682ad51866" IssueInstant="2020-07-08T02:54:00.884Z" Version="2.0"><saml2:Issuer>https://accounts.google.com/o/saml2?idpid=redacted</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_6d56e3895f50998529e94e682ad51866"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>9FUrZ7hdoKYuJthEvaZTDRaD+eYsEbUFgvnXc1qDKnc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Ncmi6R6P9czQHnF3QulNWpQzK0ITUt9NRAyE9o8tcTNBVg19h4FZMsJrsMeRTlq21iM4Mq6kvKxa\nxl/QpQmtl7OjPmeUe5HWx8bU0quD742J3uDFs1Dd+ISxrW940W2jdO6dV7EoOH6aYt3gvNTnJOEP\n/vJi1Cyv8g3hXnU/kddlUT8ZoPCDQbK5/Kc3RicmvzzbpzkzvHnkmPEJ6vFSdPMh8gPhSjJMeKBR\n5vWcpK8DsGl1PdYQDm57GAJY018mHvjja/8fN7vUYwjHwSANOysDlNaotud3v3TB9d5sJX98Wpul\nhc/+6KPkw25EP4UilYAzc6u0cmEaUC2aFGWwSg==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName><ds:X509Certificate>MIIDdDCCAlygAwIBAgIGAVHMpoPkMA0GCSqGSIb3DQEBCwUAMHsxFDASBgNVBAoTC0dvb2dsZSBJ\nbmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGDAWBgNVBAsTD0dv\nb2dsZSBGb3IgV29yazELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEwHhcNMTUxMjIz\nMDIyNDAxWhcNMjAxMjIxMDIyNDAxWjB7MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEWMBQGA1UEBxMN\nTW91bnRhaW4gVmlldzEPMA0GA1UEAxMGR29vZ2xlMRgwFgYDVQQLEw9Hb29nbGUgRm9yIFdvcmsx\nCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\nMIIBCgKCAQEAmUlajPkYVnUaGlw82/AzMHej2KePjZZh0MVj/u5m1KAxtljZepqZWQU3ZzinnP3a\nzpJw9b/22SZ4tgiGJD1CjBjLszJF+F47IPNytxevcXs+uJf8B5kRqMi1jcb3jiiIeQDS0D+bOz+d\nuL7tY/WDHeAntxu/N5ei9QU+Nr+QT2WKfNeXR4yUJr5hW384O5ClCfuBL3ICfriIoXIpJGA0igQ8\nBrsib1Rv/6NGhqAVN7SohV8314qJW2QpCpdfAxQMDzQoXZB7/8dXVGhJPV7WfHLZpGMAPfmey2AM\nwgocvk3vABqABwA2A3TSb8kbuL5mRsAkGAD4v/5vgB1W/PKNiwIDAQABMA0GCSqGSIb3DQEBCwUA\nA4IBAQAWu8fVOh+gbw1ITLeOhtH024VqDNhe+J9rlBjMp6KfeKQaXE2Mk+85lRXfjUUhlY03xRmc\n5U27dFxVleeuSBpYsBvyRZvSm44qV7mCiw4w8al8tkJD4qSCCnrZdYJWk+Kj63TAw8cayANruO0v\nOuXTIKf2hDkji1bftitSc5O/jqpaBEDeV3acGNSP8AM587fGw/YAz8qDN0mLdrBFO/a0Z+O2Floz\nKgrgrPGlXKwfP1Rc5KrEbLsk+C4dbFEWsHM+vvLhFtAeG4gqwfgiLr9qq0ipSwu/c6WXbUE1wmAT\n4KxPOoolAt8JdbfUCTmu6ekl1htxJhAPrrPy2q6haj6H</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">rob.white@mydomain.com</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="ONELOGIN_bfc750d5-ac89-4fcb-ac43-46bd60734c1d" NotOnOrAfter="2020-07-08T02:59:00.884Z" Recipient="https://sonar.mydomain.io/oauth2/callback/saml"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2020-07-08T02:49:00.884Z" NotOnOrAfter="2020-07-08T02:59:00.884Z"><saml2:AudienceRestriction><saml2:Audience>sonarqube</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AttributeStatement><saml2:Attribute Name="name"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">Rob</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="email"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">rob.white@mydomain.com</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="groups"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">sonar-administrators</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement><saml2:AuthnStatement AuthnInstant="2020-07-07T00:28:34.000Z" SessionIndex="_6d56e3895f50998529e94e682ad51866"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>|
|2020.07.08 02:54:00 DEBUG web[AXMnjbQn6g4l3XB1AEWT][c.o.s.a.AuthnRequest] AuthNRequest --> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_bfc750d5-ac89-4fcb-ac43-46bd60734c1d" Version="2.0" IssueInstant="2020-07-08T02:54:00Z" Destination="https://accounts.google.com/o/saml2/idp?idpid=redacted" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://sonar.mydomain.io/oauth2/callback/saml"><saml:Issuer>sonarqube</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest>|
|2|

I have a feeling the AWS ALB in between nginx and sonarqube is overwriting X-Forwarded-Proto. Just checking on that and will report back.

I am having the same issue after upgrading to 8.4. I’ve reviewed the SonarSource documentation and on the community. I have everything configured correctly. Unless we can resolve this, we’ll have to revert back to 8.2. This is unfortunate.

I’m using IIS ARR (2016 Servers) and have had zero problems with AD FS Integrations. This is not the first product we’ve configured–enough experience to know that it’s not our environment unless there’s a breaking change that must be configured. Besides it happening across nginx, apache, and others, I’m sure. Please advise.

The problem for me was resolved by changing the ALB listener to HTTPS.

This is because even though i was setting X-Forwarded-Proto to https at nginx layer, the AWS ALB strips that away if your using an http listener.

1 Like

@Rob_White Thanks a lot for explaining how you’ve fixed your issue !

@kirkpabk If the error you’re encountering is not the same as described in the first message of this thread, please create a new thread by describing exactly which problem you have.
Thanks !

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.