Subject: SAML SSO Issue with Microsoft MyApps – “Not Authorized” Error
Product: SonarQube Enterprise v2025.1 (102418)
SSO Provider: Microsoft Entra ID (formerly Azure AD)
Authentication Method: SAML 2.0
Direct link works: https://sonarqube.domain.local
Microsoft MyApps link fails: https://launcher.myapps.microsoft.com/api/signin/*
Issue Description:
We have successfully configured SAML SSO for our SonarQube instance. Users are able to log in via the direct URL (https://sonarcube.domain.local) without any issues.
However, when attempting to access SonarQube using the Microsoft MyApps portal, authentication through Azure/Entra completes successfully, but users are redirected to the following SonarQube error page:
https://sonarcube.domain.local/sessions/unauthorized
The message displayed is:
“You’re not authorized to access this page. Please contact the administrator.”
Steps to Reproduce:
- Configure SAML SSO for SonarQube with Microsoft Entra.
- Add SonarQube as an enterprise app in Microsoft MyApps.
- Attempt login via the MyApps launcher (https://launcher.myapps.microsoft.com/api/signin/).
- Observe that authentication succeeds but ends in an “unauthorized” page from SonarQube.
Expected Behavior:
Users should be able to access SonarQube via the MyApps launcher just as they do using the direct link.
DEBUG LOGS
2025.04.17 00:38:22 DEBUG web[2d7a8cd3-bf2e-4e4c-8668-c3d7af6a6fe6][auth.event] login failure [cause|Cookie 'OAUTHSTATE' is missing][method|OAUTH2][provider|EXTERNAL|SAML][IP|100.126.123.0|172.21.252.50][login|]
2025.04.17 00:38:29 DEBUG web[6d7889c7-6587-43cb-9306-c17f05d98a69][auth.event] login failure [cause|Cookie 'OAUTHSTATE' is missing][method|OAUTH2][provider|EXTERNAL|SAML][IP|100.126.123.0|172.21.252.50][login|]
2025.04.17 00:38:36 DEBUG web[3abad1d4-6970-4727-8a5f-df359d6b5731][auth.event] login failure [cause|Cookie 'OAUTHSTATE' is missing][method|OAUTH2][provider|EXTERNAL|SAML][IP|100.126.123.0|172.21.252.50][login|]
2025.04.17 00:38:44 DEBUG web[][c.z.h.p.HikariPool] HikariPool-1 - Pool stats (total=10/10, idle=10/10, active=0, waiting=0)
2025.04.17 00:38:44 DEBUG web[][c.z.h.p.HikariPool] HikariPool-1 - Fill pool skipped, pool has sufficient level or currently being filled.
2025.04.17 00:38:46 DEBUG web[396da3af-00d8-44c1-92d8-f787ac3898f4][auth.event] login failure [cause|Cookie 'OAUTHSTATE' is missing][method|OAUTH2][provider|EXTERNAL|SAML][IP|100.126.123.0|172.21.252.50][login|]
Additional Notes:
- No authorization or role issues when accessing directly via the SonarQube URL.
- All SAML attributes (NameID, groups, etc.) appear to be passed correctly during both flows.
- We have tried to fill in
Relay State
, but it did not help. We used the following endpoints:
https://sonarqube.domain.local
https://sonarqube.domain.local/
https://sonarqube.domain.local/projects
https://sonarqube.domain.local/projects/
https://sonarqube.domain.local/account/projects
https://sonarqube.domain.local/account/projects/
Questions
- Is there any way to make MyApps link working for SonarQube?
- Please advise if additional debug logs or configuration details are needed.