SAML error with nginx reverse proxy

  • Sonarqube Version 9.0 (build 45539)
    • No plugins
  • SAML provider Azure AD

Sonarqube runs as: http://localhost:9000;
Nginx run on and redirects the traffic to http://localhost:9000

When i try to login, the following error is shown:

Log message: 
2021.07.12 15:36:04 ERROR web[AXqauDJWa+2Vp2SJAAEp][c.o.s.a.SamlResponse] The response was received at https://localhost:9000/oauth2/callback/saml instead of https://foo.comoauth2/callback/saml
2021.07.12 15:36:04 ERROR web[AXqauDJWa+2Vp2SJAAEp][c.o.saml2.Auth] processResponse error. invalid_response

I’ve configured the SAML provider and similar configurations already work with other tools.
The redirect URL on Azure AD is configured to the public address

nginx reverse proxy config:

	server {
		listen 443 ssl;
		ssl_certificate foo;
		ssl_certificate_key foo;
		client_max_body_size 5000M;

		location / {
			#don't let google index this page
			add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
			proxy_pass http://localhost:9000;
			proxy_set_header X-Forwarded-Host $http_host;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_http_version 1.1;
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection "upgrade";

I guess it is related with the base url.
I did set as server base URL in the ui

I also set it in the sonar properties files directly.

What needs to be changed in order to get SAML working in this szenario?
I’ve checked most of the forum entries about this topic but was unable to find a solution.

I believe you need this additional line:

proxy_set_header Host $host;

After hitting the same error on a new server setup and scouring these posts I realized the doc actually covers this here: Operating the Server | SonarQube Docs and there is a post on handling this case on IIS here: SonarQube Users: Let's talk about IIS and SAML Authentication!

I thought X-Forwarded-Host would accomplish this, but it did not work for me. I needed to set the “Host” header.

In my case I also added:

proxy_set_header X-Forwarded-Proto https;

although I think your $scheme is covering this since your error msg shows https:// in both URLs already.

I hope this helps you (and/or someone else!)

1 Like

proxy_set_header Host $host;
This did the trick.

Now it SAML seems to be configured ok, but i cannot authenticate.

Error message in the log: Fail to callback authentication with ‘saml’
java.lang.NullPointerException: Name is missing

Any idea what is wrong here?

Having the same problem, Nginx configured exactly how its stated in official docs. error I’m getting from SQ container:

ERROR web[AXxUzLA1NnhuSmG1AAB5][c.o.s.a.SamlResponse] The response was received at http://sonarqube:9000/oauth2/callback/saml instead of
ERROR web[AXxUzLA1NnhuSmG1AAB5][c.o.saml2.Auth] processResponse error. invalid_response

Azure’s AD logs are showing successful auth but SQ UI displays ‘not authorized’ error… any leads?