SAML login failure not showing the correct error message

  • versions used
    SonarQube 8.4.1

  • error observed

    After some efforts, I was finally able to implement Auth0 as the SAML identity provider. While the successful logins seem to be working as expected, I noticed an issue when Auth0 rejected the login attempt, i.e. the case of an unsuccessful login. Instead of displaying the actual error message while is returned by Auth0, it displays very odd looking reason for the login failure. It is not at all user friendly.

    The reason should be the actual error message returned from Auth0.

    You’re not authorized to access this page. Please contact the administrator.

    Reason: The status code of the Response was not Success, was urn:oasis:names:tc:SAML:2.0:status:Responder ->

  • steps to reproduce
    Implement SAML
    Make sure the identity provider rejects the login.

  • potential workaround
    None

Hi,

What’s the actual message that’s displayed?

 
Ann

Hi,

Thanks for your response. Please see below. The reason in Expected Message should be the actual error returned by Auth0.

Expected Message

You’re not authorized to access this page. Please contact the administrator.

Reason: You do not have an active license for XYZ. Please contact product support at some@email.

Actual Message

You’re not authorized to access this page. Please contact the administrator.

Reason: The status code of the Response was not Success, was urn:oasis:names:tc:SAML:2.0:status:Responder ->

Hi,

It’s not clear to me why you expect a message about licensing. I’m guessing what you’re seeing is the actual error message.

 
Ann

Hi Ann,

I am not sure where the confusion is. The licensing error message was an example. It could be any error message that’s returned by Auth0 when the log in fails.

When authenticating via Auth0, if the login fails (e.g. for licensing reason or any other reason for that matter), Auth0 returns an error message. That is the error message I am expecting to see in the SonarQube UI.

The issue is - What's displayed in the SonarQube UI after the login fails, is not what is being returned by Auth0.

Just FYI - We have Auth0 integration with GitLab too and it clearly displays the same error message returned by Auth0. Now, that one is OAUTH2 integration, not SAML. I am not aware if that should matter.

Is there a way to see (somewhere in the logs may be) the error that is being returned by Auth0?

Please let me know if I am still not able to explain the issue correctly.

Thanks
Saurabh

Hi @saurabhdeep,

The error that is currently returned is the one the SAML provider is sending to SonarQube.
We don’t have any other details than that.
If the errors is not the same when using OAuth2, it most probably because as you said the implementation of OAuth2 is not the same as the implementation of SAML.

Regards

Hi @julienlancelot ,

That’ unfortunate. This generic, non-user friendly error looks too bad.

Is there a way to view the error that is being returned by the SAML provider? Do any of the log files have this information? If we can verify this, I can take this to Auth0 and open a case with them.

Thank you for your help.

Best
Saurabh

Hi,

The message you see is exactly the message returned by the SAML provider :

The only way I could think about to get more information would be to check logs directly on the SAML provider.