SAML plugin doesn't create proper request

authentication
saml

(eistrati) #1

Hello,

I’ve been trying to setup my SonarQube application with AWS SSO service. I’ve downloaded SAML metadata file [Custom_SAML_2.0_application.txt (1.3 KB)] and configured everything according to official documentation, specifically In SonarQube settings, configure SAML authentication.

In AWS SSO, I’ve setup the following:

Also, attribute mapping is in place, as well as assigned users (disclosure: I have a functional Jenkins server exposed in AWS SSO through SAML, so most of configs are the same).

I’ve opened a ticket and worked with AWS Support team to debug this issue. They are claiming that SAML request is not properly created. Is there any way I can figure out how and why it’s not working? Please help me make it work…

Relevant Info:

  • SonarQube Community Edition Version 7.1 (build 11001)
  • SAML 2.0 Authentication for SonarQube Version 1.0.0 (build 116)
  • No errors or warnings, but also doesn’t login

Thanks in advance,
Eugene.


(Julien Lancelot) #2

Hi,

Could you please check logs/web.log for any WARN or ERROR logs ?

Regards


(eistrati) #3
$ cat web.2018-08-19.log | grep ERROR
2018.08.19 19:06:08 ERROR web[AWVTip1ZxrzEZDbWAAA5][o.s.s.a.AuthenticationError] No provider key found in URI
$ cat web.2018-08-19.log | grep WARN
2018.08.19 18:51:41 WARN  web[][o.s.s.a.LogOAuthWarning] For security reasons, OAuth authentication should use HTTPS. You should set the property 'Administration > Configuration > Server base URL' to a HTTPS URL.
2018.08.19 18:55:11 WARN  web[][o.s.s.a.LogOAuthWarning] For security reasons, OAuth authentication should use HTTPS. You should set the property 'Administration > Configuration > Server base URL' to a HTTPS URL.

(Julien Lancelot) #4

The error in log is reporting that that the callback URL is incorrect.

Indeed, you should replace

by http://sonarqube.mycompany.com/oauth2/callback


(eistrati) #5

Apologies. It was my typo and I’ve double checked that it’s indeed http://sonarqube.mycompany.com/oauth2/callback

Looks like the main reason is No provider key found in URI, but not clear if it’s because of For security reasons, OAuth authentication should use HTTPS. You should set the property 'Administration > Configuration > Server base URL' to a HTTPS URL.

What do you think?

P. S. Meanwhile, I’m working to setup TLS on this server and check it again.


(Julien Lancelot) #6

Indeed, the error is No provider key found in URI., which means that the callback URL that SonarQube is receiving is wrong, but such error should not happen.

Could you please set the server logs to TRACE, then do an authentication and send us the generated logs ?


(Iacob Nicolaev) #7

Sorry for delayed response, here are TRACE logs:

2018.09.03 20:26:10 DEBUG web[AWWhDzRfXhMNRa0bAAB1][c.o.saml2.Auth] Settings validated                                                               
2018.09.03 20:26:10 DEBUG web[AWWhDzRfXhMNRa0bAAB1][c.o.s.a.AuthnRequest] AuthNRequest --> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_2b75a576-5f6a-42c9-b639-825c18a857d3" Version="2.0" IssueInstant="2018-09-03T20:26:10Z" Destination="https://portal.sso.us-east-1.amazonaws.com/saml/assertion/[REDACTED]/" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://sonar.mycompany.com/oauth2/callback/saml"><saml:Issuer>sonarqube</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest>           
2018.09.03 20:26:10 DEBUG web[AWWhDzRfXhMNRa0bAAB1][c.o.saml2.Auth] AuthNRequest sent to https://portal.sso.us-east-1.amazonaws.com/saml/assertion/[REDACTED]/ --> [REDACTED]

Any help will be appreciated.


(mbhforum) #8

I have the same issue as @Iacob_Nicolaev, so I will be curious to see what the result is. In my case, I am using Duo’s SAML Gateway, not AWS’s.


(Julien Lancelot) #9

Hi,

Sorry for coming late on this issue.

Could you guys check that the settings “Server base URL” (in Administration -> Configuration -> General Settings -> General) is correctly set to your SonarQube server’s URL ?

Regards


(mbhforum) #10

Hi @julienlancelot. Our Server Base URL is:

https://sonarqube-dev.redecactedcompanyname.com


(eistrati) #11

In our case, Server base URL is setup to https://sonar.mycompany.com (where mycompany.com is actually our domain).


(Alain O'Dea) #12

I found a fix which I described on a separate post: