SAML SSO Issue with Microsoft MyApps – “Not Authorized” Error

SonarQube Server / Community Build
, , ,
1

Subject: SAML SSO Issue with Microsoft MyApps – “Not Authorized” Error
Product: SonarQube Enterprise v2025.1 (102418)
SSO Provider: Microsoft Entra ID (formerly Azure AD)
Authentication Method: SAML 2.0

Issue Description:

We have successfully configured SAML SSO for our SonarQube instance. Users are able to log in via the direct URL (https://sonarcube.domain.local) without any issues.

However, when attempting to access SonarQube using the Microsoft MyApps portal, authentication through Azure/Entra completes successfully, but users are redirected to the following SonarQube error page:

https://sonarcube.domain.local/sessions/unauthorized

The message displayed is:

“You’re not authorized to access this page. Please contact the administrator.”

image
image583×190 5.67 KB

Steps to Reproduce:

  1. Configure SAML SSO for SonarQube with Microsoft Entra.
  2. Add SonarQube as an enterprise app in Microsoft MyApps.
  3. Attempt login via the MyApps launcher (https://launcher.myapps.microsoft.com/api/signin/).

image

  1. Observe that authentication succeeds but ends in an “unauthorized” page from SonarQube.

Expected Behavior:

Users should be able to access SonarQube via the MyApps launcher just as they do using the direct link.

DEBUG LOGS

2025.04.17 00:38:22 DEBUG web[2d7a8cd3-bf2e-4e4c-8668-c3d7af6a6fe6][auth.event] login failure [cause|Cookie 'OAUTHSTATE' is missing][method|OAUTH2][provider|EXTERNAL|SAML][IP|100.126.123.0|172.21.252.50][login|]

2025.04.17 00:38:29 DEBUG web[6d7889c7-6587-43cb-9306-c17f05d98a69][auth.event] login failure [cause|Cookie 'OAUTHSTATE' is missing][method|OAUTH2][provider|EXTERNAL|SAML][IP|100.126.123.0|172.21.252.50][login|]

2025.04.17 00:38:36 DEBUG web[3abad1d4-6970-4727-8a5f-df359d6b5731][auth.event] login failure [cause|Cookie 'OAUTHSTATE' is missing][method|OAUTH2][provider|EXTERNAL|SAML][IP|100.126.123.0|172.21.252.50][login|]

2025.04.17 00:38:44 DEBUG web[][c.z.h.p.HikariPool] HikariPool-1 - Pool stats (total=10/10, idle=10/10, active=0, waiting=0)

2025.04.17 00:38:44 DEBUG web[][c.z.h.p.HikariPool] HikariPool-1 - Fill pool skipped, pool has sufficient level or currently being filled.

2025.04.17 00:38:46 DEBUG web[396da3af-00d8-44c1-92d8-f787ac3898f4][auth.event] login failure [cause|Cookie 'OAUTHSTATE' is missing][method|OAUTH2][provider|EXTERNAL|SAML][IP|100.126.123.0|172.21.252.50][login|]

Additional Notes:

  • No authorization or role issues when accessing directly via the SonarQube URL.
  • All SAML attributes (NameID, groups, etc.) appear to be passed correctly during both flows.
  • We have tried to fill in Relay State, but it did not help. We used the following endpoints:
    https://sonarqube.domain.local
    https://sonarqube.domain.local/
    https://sonarqube.domain.local/projects
    https://sonarqube.domain.local/projects/
    https://sonarqube.domain.local/account/projects
    https://sonarqube.domain.local/account/projects/

Questions

  • Is there any way to make MyApps link working for SonarQube?
  • Please advise if additional debug logs or configuration details are needed.
1 Like
3

Hi,

Welcome to the community!

You’ve configured SAML not with Entra, but with MyApps?

Can you confirm that MyApps is sending the required OAUTHSTATE cookie?

Also, this may be relevant:

 
HTH,
Ann