SAML error with nginx reverse proxy

suntsu · July 12, 2021, 1:44pm

Sonarqube Version 9.0 (build 45539)
- No plugins
SAML provider Azure AD

Sonarqube runs as: http://localhost:9000;
Nginx run on https://foo.com:443 and redirects the traffic to http://localhost:9000

When i try to login, the following error is shown:

Log message: 
2021.07.12 15:36:04 ERROR web[AXqauDJWa+2Vp2SJAAEp][c.o.s.a.SamlResponse] The response was received at https://localhost:9000/oauth2/callback/saml instead of https://foo.comoauth2/callback/saml
2021.07.12 15:36:04 ERROR web[AXqauDJWa+2Vp2SJAAEp][c.o.saml2.Auth] processResponse error. invalid_response

I’ve configured the SAML provider and similar configurations already work with other tools.
The redirect URL on Azure AD is configured to the public address https://foo.com/oauth2/callback/saml

nginx reverse proxy config:

	server {
		listen 443 ssl;
		server_name foo.com;
		
		ssl_certificate foo;
		ssl_certificate_key foo;
		
		client_max_body_size 5000M;
		

		location / {
			#don't let google index this page
			add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
			proxy_pass http://localhost:9000;
			
			proxy_set_header X-Forwarded-Host $http_host;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_http_version 1.1;
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection "upgrade";
			}
	}

I guess it is related with the base url.
I did set https://foo.com as server base URL in the ui

I also set it in the sonar properties files directly.
sonar.core.serverBaseURL=https://foo.com

What needs to be changed in order to get SAML working in this szenario?
I’ve checked most of the forum entries about this topic but was unable to find a solution.

jmckinnon · July 22, 2021, 5:18am

I believe you need this additional line:

proxy_set_header Host $host;

After hitting the same error on a new server setup and scouring these posts I realized the doc actually covers this here: Operating the Server | SonarQube Docs and there is a post on handling this case on IIS here: SonarQube Users: Let's talk about IIS and SAML Authentication!

I thought X-Forwarded-Host would accomplish this, but it did not work for me. I needed to set the “Host” header.

In my case I also added:

proxy_set_header X-Forwarded-Proto https;

although I think your $scheme is covering this since your error msg shows https:// in both URLs already.

I hope this helps you (and/or someone else!)

suntsu · July 28, 2021, 2:00pm

proxy_set_header Host $host;
This did the trick.

Now it SAML seems to be configured ok, but i cannot authenticate.

Error message in the log: Fail to callback authentication with ‘saml’
java.lang.NullPointerException: Name is missing

Any idea what is wrong here?

johnny_online · October 6, 2021, 9:08am

Having the same problem, Nginx configured exactly how its stated in official docs. error I’m getting from SQ container:

ERROR web[AXxUzLA1NnhuSmG1AAB5][c.o.s.a.SamlResponse] The response was received at http://sonarqube:9000/oauth2/callback/saml instead of https://sonarqube-hello.msappproxy.net/oauth2/callback/saml
ERROR web[AXxUzLA1NnhuSmG1AAB5][c.o.saml2.Auth] processResponse error. invalid_response

Azure’s AD logs are showing successful auth but SQ UI displays ‘not authorized’ error… any leads?

Necip · November 5, 2022, 9:48am

That’s all work for me and after 1-1.5days troubleshooting thanks Joshoua.

Regards.

Greate line!
proxy_set_header X-Forwarded-Proto $scheme

vgaur · January 16, 2024, 11:24am

This is exactly what I was looking for. Saved a lot of my debugging time, Thanks a lot !!!