SAML Sonarqube with AWS SSO

SonarQube Server / Community Build
, ,
1

What are you trying to accomplish?
I’m facing an error on the AWS side with error 403 no access, I followed all the instructions from here:
Link Docs

and support’s AWS told me that they do not have more logs beside, so to try to understand this error with development teams, so here I don’t know if I came to the right channel, but I can’t resolve this error yet, I tried to change parameters, re-configured the certified in Sonarqube, but nothing works.

Sending more context:

I configured the sonarqube with parameters that docs told me and in the AWS SSO, I pick the same parameters correlating with an email from our accounts.

Thanks for helping me in advance

1 Like
2

Hey there.

You should be able to see logs from SAML authentication in your installation’s logs/web.log file. If you don’t have access to the file system, you can also download the logs from your global Administration > System page. You can also increase/decrease the log level here.

And, as mentioned in the topic template:

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
3

I just went through the same issue.
Apparently, the issue was in the SonarQube service URL.
If you are using ALB in front of the SonarQube (or any other reversed proxy), you may have the same issue as me.
Host in Application ACS URL in the Application in AWS IAM Identity Center must match the host set in Administration > Configuration > General > Server base URL.
This was the missing part after following the instructions in the docs that you provided.

More details:
The following request is sent to the AWS IdP if the host is not set in the configuration

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_xxx" Version="2.0" IssueInstant="2023-01-02T03:08:30Z" Destination="<url from config>" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://localhost:9000/oauth2/callback/saml">
    <saml:Issuer>sonarqube</saml:Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" />
</samlp:AuthnRequest>

As you see, the value for AssertionConsumerServiceURL is set to the localhost, which later on is compared to the Application ACS URL from the Application created in AWS Identity Center.

1 Like
4

Hello, happy new year mate.

Thanks for sharing some content here.

The version of the Sonarqube here is:

SonarQube ID information
Server ID: 499F1673-AVlbTUgAcfdcF0zs0eox
Version: 9.7.0.61563

Follow some log details that I’ve got:


ID="ONELOGIN_ccd2812a-a041-4e2f-a19e-ec339427d9d1" Version="2.0" IssueInstant="2023-01-03T09:51:15Z"

Destination="https://portal.sso.eu-west-1.amazonaws.com/saml/assertion/[REDACTED]"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://MYHOST/oauth2/callback/saml"><saml:Issuer>sonarqube-sandbox
</saml:Issuer>

<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" />
</samlp:AuthnRequest>

[c.o.saml2.Auth]AuthNRequest sent to https://portal.sso.eu-west-1.amazonaws.com/saml/assertion/[REDACTED] --> fZJRb9MwEMe/SuR3J3GSCmq1lcoyI[REDACTED]

The access log

10.5.153.121 - - [03/Jan/2023:09:51:55 +0000] "GET /sessions/init/saml?return_to=%2F HTTP/1.1" **302** - "https://MYCOMPANY.awsapps.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0" "AYVNr7QhVLM8++vpC0kP"

I was apprehensive about the information of SAML, unspecified thing so I changed it on the AWS SSO application panel, but the behavior continues

image
image1170×293 17.1 KB

mleszczynski (I can’t mention you because I am new here) Thanks for it, and yes, my server base URL is equal to the ACS URL and others places. I heard in another searching moment about the HTTP Header forward that ALB was missing (or not doing) to the IDP and the assert doesn’t match, but I don’t know if it’s the case, I don’t have much log information, all I have is above here.

I tried the AWS support to get the error of the AWS SSO side, but as I said, they did not have many logs from the Third part apps.

Edited:

After I posted here, I found some gold on the log:

2023.01.03 10:18:38 ERROR web[AYVNr7QhVLM8++vpC0/S][c.o.saml2.Auth] processResponse error.SAML Response not found, Only supported HTTP_POST Binding
2023.01.03 10:18:38 WARN  web[AYVNr7QhVLM8++vpC0/S][o.s.s.a.AuthenticationError] Fail to callback authentication with 'saml'
[OMITTED STACKTRACE]

Caused by: com.onelogin.saml2.exception.Error: SAML Response not found, Only supported HTTP_POST Binding
	at com.onelogin.saml2.Auth.processResponse(Auth.java:1244)
	at com.onelogin.saml2.Auth.processResponse(Auth.java:1254)
	at org.sonar.auth.saml.SamlAuthenticator.processResponse(SamlAuthenticator.java:145)
5

Can you share some info about what the deployment of the sonarqube looks like?
Do you have WAF in front of the load balancer?
In my case, I have sonarqube deployed as an AWS ECS service on a Fargate, and I have an (internal) ALB in front of it that does the TLS termination

6

Yes, We have been running the sonarqube in an EKS Cluster using ALB with HostPath rules and sending the request to a target group,
this target group is a service that connected all, our ALB has an AWS WAF binding too, I am new to the company, but what I find about the structure is this.

I looking about the HTTP Post error yet, but facing the error yet.

7

In my last breath on this task, I changed everything and to my surprise the Name of sonar.auth.saml.applicationId it was different of Audience in AWS SSO.

When I put the same name, the POST Saml occurs, and I could get more info about the response SAML and see groups and other information, so in the end, everything works :slight_smile:

Thank you all

8

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.