SAML Failure: SAML Response not found, Only supported HTTP_POST Binding

kjenneyvz · March 27, 2024, 7:55pm

Must-share information (formatted with Markdown):

SonarQube 10.3.0.82913
Helm - on EKS with load-balancer ingress
Get SAML working with Okta
Debugging with Okta instance, Debug on server logs, and SAML-tracer chrome plugin

2024.03.27 19:32:48 DEBUG web[AY494pUdAHkAldl0A4D4][c.o.saml2.Auth] Settings validated
2024.03.27 19:32:48 ERROR web[AY494pUdAHkAldl0A4D4][c.o.saml2.Auth] processResponse error.SAML Response not found, Only supported HTTP
_POST Binding
2024.03.27 19:32:48 WARN  web[AY494pUdAHkAldl0A4D4][o.s.s.a.AuthenticationError] Fail to callback authentication with 'saml'
java.lang.IllegalStateException: Failed to process the authentication response
......
......
Caused by: com.onelogin.saml2.exception.Error: SAML Response not found, Only supported 
HTTP_POST Binding
	at com.onelogin.saml2.Auth.processResponse(Auth.java:1244)
	at com.onelogin.saml2.Auth.processResponse(Auth.java:1254)
	at org.sonar.auth.saml.SamlAuthenticator.processResponse(SamlAuthenticator.java:153)
	... 151 common frames omitted

With SAML-tracer I’m see a GET hitting the SAML endpoint configured as SAML login url in the edit SAML configuration window. I do see PUT’s hitting other Okta apps.

My question is: Is the lack of a POST request hitting the SAML login url my problem? If so, how do I ensure that Okta is using POST instead of GET?

ganncamp · March 28, 2024, 5:13pm

Hi,

Welcome to the community!

My searches indicate that the lack of the POST probably is the problem. It looks like you should make sure the SonarQube side is fully configured.

HTH,
Ann

kjenneyvz · March 28, 2024, 7:23pm

Doesn’t this insinuate that the SonarQube side is fully configured?

2024.03.27 19:32:48 DEBUG web[AY494pUdAHkAldl0A4D4][c.o.saml2.Auth] Settings validated

ganncamp · March 29, 2024, 11:50am

Hi,

Was that a snippet of your SonarQube log that you provided? If so, can you provide the whole log?

Thx,
Ann

kjenneyvz · April 1, 2024, 1:12pm

We got this resolved. However, this brings up an issue that I’m not sure is covered by a pre-existing Feature Request: We need to provision users manually with our Dev license. However, once we setup the user we need to make API request (update_identity_provider) to convert the user from local auth to SAML auth. This is not documented here.

Is there an existing Feature Request to either automate this or include it in the UI?
Can the documentation be updated to be clearer?

ganncamp · April 1, 2024, 1:22pm

Hi,

Can you explain why you need to provision the users? Can’t you just let them be created on first login?

Ann