SAML integration with Sonar 10.3 access blocked by wrong redirect URL

I am trying to integrate Sonar with SAML (AAD) and have struggled for days getting it working with IIS. I am fairly sure I have read all of the existing discussions and tried the various suggestions. This is the error:


Sonar and IIS are running on a Windows server (VM) manually deployed. IIS is running on http because we have Application Gateway acting as the SSL terminator.

For the set up I have:

  • Sonar - Server base URL -
  • Sonar - SAML Auth Set up and Test configuration works
  • IIS - Reverse Proxy rewrite rule configure
  • IIS - Site Proxy unchecked reverse rewrite host

Now when I click Login it redirects to AAD and successfully authenticates (checked AAD logs). I have also proved this fails if I change the reply URL to a wrong value. I can also show the reply URL is being generated from the Server Base URL set above. This is:

It seems that even though Sonar is generating the correct reply URL before the SAML auth request it then compares the reply URL in the response with what it perceives as the URL which is actually the local server URL so something like this (wrong URL):

https://<machine domain hostname>/alm/sonar/oauth2/callback/saml

So in short it is a Sonar generated error not a AAD one that took me a long time to realise

Now I can see that it determines the protocol for the wrong URL using the value of HTTP_X_FORWARDED_PROTO by switching between http/https.

I have also tried to influence the domain in this wrong URL by setting:


But nothing seems to work, what am I missing?

Thanks in advance.

Hey there.

Have you made sure to preserve host headers? This is a funny one – at least at the time I wrote this guide, it has to be run on the command line.

I spent hours figuring this out back in October 2020 so I hope it helps. :pray:

This info is also incorporated into the docs. I mention it because I don’t see you mention it in your topic post.

Yes I forgot to mention that I had also done that. I checked to confirm:

And you’ve restarted the IIS server after?

It was set a few months ago but yes I have certainly restarted the server and VM since then.

Does anyone know which header is used to infer the original hostname so I can check if that is coming through the load balancer?

Hopefully a final update as I have managed to get it working. In short the Application Gateway that was fronting Sonar was configured with the host domain <machine domain hostname> and not the expected URL In practice this value would be configured in the AppGw backend settings at this point:


With this change the host name header coming from AppGw was set correctly for Sonar to pick up and use in the check.

1 Like