SAML SSO Issue with Microsoft MyApps – “Not Authorized” Error

Subject: SAML SSO Issue with Microsoft MyApps – “Not Authorized” Error
Product: SonarQube Enterprise v2025.1 (102418)
SSO Provider: Microsoft Entra ID (formerly Azure AD)
Authentication Method: SAML 2.0

Issue Description:

We have successfully configured SAML SSO for our SonarQube instance. Users are able to log in via the direct URL (https://sonarcube.domain.local) without any issues.

However, when attempting to access SonarQube using the Microsoft MyApps portal, authentication through Azure/Entra completes successfully, but users are redirected to the following SonarQube error page:

https://sonarcube.domain.local/sessions/unauthorized

The message displayed is:

“You’re not authorized to access this page. Please contact the administrator.”


Steps to Reproduce:

  1. Configure SAML SSO for SonarQube with Microsoft Entra.
  2. Add SonarQube as an enterprise app in Microsoft MyApps.
  3. Attempt login via the MyApps launcher (https://launcher.myapps.microsoft.com/api/signin/).

image

  1. Observe that authentication succeeds but ends in an “unauthorized” page from SonarQube.

Expected Behavior:

Users should be able to access SonarQube via the MyApps launcher just as they do using the direct link.


DEBUG LOGS

2025.04.17 00:38:22 DEBUG web[2d7a8cd3-bf2e-4e4c-8668-c3d7af6a6fe6][auth.event] login failure [cause|Cookie 'OAUTHSTATE' is missing][method|OAUTH2][provider|EXTERNAL|SAML][IP|100.126.123.0|172.21.252.50][login|]

2025.04.17 00:38:29 DEBUG web[6d7889c7-6587-43cb-9306-c17f05d98a69][auth.event] login failure [cause|Cookie 'OAUTHSTATE' is missing][method|OAUTH2][provider|EXTERNAL|SAML][IP|100.126.123.0|172.21.252.50][login|]

2025.04.17 00:38:36 DEBUG web[3abad1d4-6970-4727-8a5f-df359d6b5731][auth.event] login failure [cause|Cookie 'OAUTHSTATE' is missing][method|OAUTH2][provider|EXTERNAL|SAML][IP|100.126.123.0|172.21.252.50][login|]

2025.04.17 00:38:44 DEBUG web[][c.z.h.p.HikariPool] HikariPool-1 - Pool stats (total=10/10, idle=10/10, active=0, waiting=0)

2025.04.17 00:38:44 DEBUG web[][c.z.h.p.HikariPool] HikariPool-1 - Fill pool skipped, pool has sufficient level or currently being filled.

2025.04.17 00:38:46 DEBUG web[396da3af-00d8-44c1-92d8-f787ac3898f4][auth.event] login failure [cause|Cookie 'OAUTHSTATE' is missing][method|OAUTH2][provider|EXTERNAL|SAML][IP|100.126.123.0|172.21.252.50][login|]

Additional Notes:

  • No authorization or role issues when accessing directly via the SonarQube URL.
  • All SAML attributes (NameID, groups, etc.) appear to be passed correctly during both flows.
  • We have tried to fill in Relay State, but it did not help. We used the following endpoints:
    https://sonarqube.domain.local
    https://sonarqube.domain.local/
    https://sonarqube.domain.local/projects
    https://sonarqube.domain.local/projects/
    https://sonarqube.domain.local/account/projects
    https://sonarqube.domain.local/account/projects/

Questions

  • Is there any way to make MyApps link working for SonarQube?
  • Please advise if additional debug logs or configuration details are needed.
1 Like

Hi,

Welcome to the community!

You’ve configured SAML not with Entra, but with MyApps?

Can you confirm that MyApps is sending the required OAUTHSTATE cookie?

Also, this may be relevant:

 
HTH,
Ann