SAML error with nginx reverse proxy

  • Sonarqube Version 9.0 (build 45539)
    • No plugins
  • SAML provider Azure AD

Sonarqube runs as: http://localhost:9000;
Nginx run on https://foo.com:443 and redirects the traffic to http://localhost:9000

When i try to login, the following error is shown:
image

Log message: 
2021.07.12 15:36:04 ERROR web[AXqauDJWa+2Vp2SJAAEp][c.o.s.a.SamlResponse] The response was received at https://localhost:9000/oauth2/callback/saml instead of https://foo.comoauth2/callback/saml
2021.07.12 15:36:04 ERROR web[AXqauDJWa+2Vp2SJAAEp][c.o.saml2.Auth] processResponse error. invalid_response

I’ve configured the SAML provider and similar configurations already work with other tools.
The redirect URL on Azure AD is configured to the public address https://foo.com/oauth2/callback/saml

nginx reverse proxy config:

	server {
		listen 443 ssl;
		server_name foo.com;
		
		ssl_certificate foo;
		ssl_certificate_key foo;
		
		client_max_body_size 5000M;
		

		location / {
			#don't let google index this page
			add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
			proxy_pass http://localhost:9000;
			
			proxy_set_header X-Forwarded-Host $http_host;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_http_version 1.1;
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection "upgrade";
			}
	}

I guess it is related with the base url.
I did set https://foo.com as server base URL in the ui

I also set it in the sonar properties files directly.
sonar.core.serverBaseURL=https://foo.com

What needs to be changed in order to get SAML working in this szenario?
I’ve checked most of the forum entries about this topic but was unable to find a solution.

I believe you need this additional line:

proxy_set_header Host $host;

After hitting the same error on a new server setup and scouring these posts I realized the doc actually covers this here: Operating the Server | SonarQube Docs and there is a post on handling this case on IIS here: SonarQube Users: Let's talk about IIS and SAML Authentication!

I thought X-Forwarded-Host would accomplish this, but it did not work for me. I needed to set the “Host” header.

In my case I also added:

proxy_set_header X-Forwarded-Proto https;

although I think your $scheme is covering this since your error msg shows https:// in both URLs already.

I hope this helps you (and/or someone else!)

1 Like

proxy_set_header Host $host;
This did the trick.

Now it SAML seems to be configured ok, but i cannot authenticate.
image

Error message in the log: Fail to callback authentication with ‘saml’
java.lang.NullPointerException: Name is missing

Any idea what is wrong here?