SAML Error on AWS ELB (L7) and Kubernetes

vikas027 · August 25, 2021, 3:29am

Environment

Sonarqube Developer EditionVersion 9.0.1 (build 46107) – deployed through Sonarqube helm chart
AWS ELB (L7 i.e. terminating SSL here)
Ambassador (as Kubernetes Ingress Controller)
IDP: Google Apps
Traffic Flow
Internet → ELB (L7 with SSL Certificate) → Kubernetes Ingress Controller → Kubernetes Pod

Problem

Sonarqube UI is running fine, the problem is only when configuring SAML.

After configuring SAML (with Google apps), I am seeing this error on the web UI

“You’re not authorized to access this page. Please contact the administrator.”

I have debugged the SAML trace and found that the call back URL (https://sonarqube./oauth2/callback/saml) is missing the below attributes in <saml2:AttributeStatement>

<saml2:Attribute Name=“Email”>
<saml2:Attribute Name=“Login”>
<saml2:Attribute Name=“Name”>

This is my ambassador mapping

---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: sonarqube
  namespace: sonarqube
spec:
  host: sonarqube.<my-domain>
  prefix: /
  rewrite: /
  service: sonarqube-sonarqube.sonarqube.svc.cluster.local:9000
  bypass_error_response_overrides: true

What else can I do to troubleshoot the issue?

vikas027 · August 25, 2021, 11:51pm

Just to rule out the possibility of Ambassador (Kubernetes ingress controller) doing anything funny with HTTP headers, I have now removed Ambassador out of the picture.

The error remains the same even with this flow
Internet → ELB (L7 with SSL Certificate) → Kubernetes Pod

vikas027 · August 26, 2021, 8:57pm

This is resolved now. We were missing SAML attribute mapping on the Google App, I didn’t have access to it to verify the same earlier.

system · September 2, 2021, 8:57pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.