SAML Error on AWS ELB (L7) and Kubernetes


  • Sonarqube Developer EditionVersion 9.0.1 (build 46107) – deployed through Sonarqube helm chart
  • AWS ELB (L7 i.e. terminating SSL here)
  • Ambassador (as Kubernetes Ingress Controller)
  • IDP: Google Apps
  • Traffic Flow
    Internet → ELB (L7 with SSL Certificate) → Kubernetes Ingress Controller → Kubernetes Pod


Sonarqube UI is running fine, the problem is only when configuring SAML.

After configuring SAML (with Google apps), I am seeing this error on the web UI

“You’re not authorized to access this page. Please contact the administrator.”

I have debugged the SAML trace and found that the call back URL (https://sonarqube./oauth2/callback/saml) is missing the below attributes in <saml2:AttributeStatement>

  • <saml2:Attribute Name=“Email”>
  • <saml2:Attribute Name=“Login”>
  • <saml2:Attribute Name=“Name”>

This is my ambassador mapping

kind: Mapping
  name: sonarqube
  namespace: sonarqube
  host: sonarqube.<my-domain>
  prefix: /
  rewrite: /
  service: sonarqube-sonarqube.sonarqube.svc.cluster.local:9000
  bypass_error_response_overrides: true

What else can I do to troubleshoot the issue?

Just to rule out the possibility of Ambassador (Kubernetes ingress controller) doing anything funny with HTTP headers, I have now removed Ambassador out of the picture.

The error remains the same even with this flow
Internet → ELB (L7 with SSL Certificate) → Kubernetes Pod

This is resolved now. We were missing SAML attribute mapping on the Google App, I didn’t have access to it to verify the same earlier.


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.