gtonti
(Gianluca Tonti)
November 5, 2021, 11:22am
1
Hi
I am using SonarQubee 8.9 lts
I am using a windows server 2019
I added a reverse proxy on iis to use SSL
I want to login using SAML ADFS
I get an error that is been explained in this post (Receive "not authorized" oauth2/callback/saml response error after upgrade to SonarQube 8.4 ).
I am not able to understand how to configure IIS to accieve the solution.
Looks to me I have to define and use some server variables in IIS ARR module.
Can someone help me?
Kind Regards
Gianluca
kirkpabk
(Brian Kirkpatrick)
November 23, 2021, 4:16pm
2
Digging into some of the responses here and through Microsoft will help. But the details you need are here (that are VERY hard to find):
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<clear />
<rule name="http to https" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://sonarqube.yourdomain.com/{R:1}" appendQueryString="false" />
</rule>
<rule name="Redirect Shortname to FQDN" stopProcessing="true">
<match url="^(.*)$" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{HTTP_HOST}" pattern="^.*\.yourdomain\.com$" negate="true" />
</conditions>
<action type="Redirect" url="https://sonarqube.yourdomain.com/{R:1}" />
</rule>
<rule name="ReverseProxyToSonarQube9000" stopProcessing="false">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="true" />
<serverVariables>
<set name="ORIGINAL_URL" value="{HTTP_HOST}" />
<set name="HTTP_X_FORWARDED_PROTO" value="https" />
<set name="OAUTHSTATE" value="{OAUTHSTATE}" />
</serverVariables>
<action type="Rewrite" url="http://sonarqube.yourdomain.com:9000/{R:1}" logRewrittenUrl="true" />
</rule>
</rules>
</rewrite>
<security>
<requestFiltering>
<denyUrlSequences>
<add sequence=".." />
<add sequence=":" />
</denyUrlSequences>
<requestLimits maxQueryString="8024" />
</requestFiltering>
</security>
<httpProtocol>
<customHeaders>
<remove name="Server" />
<remove name="X-Powered-By" />
<add name="X-Frame-Options" value="sameorigin" />
<add name="X-XSS-Protection" value="1; mode=block" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="Referrer-Policy" value="strict-origin" />
<add name="Strict-Transport-Security" value="15552001;includeSubDomains;preload;redirectHttpToHttps=true" />
<add name="Content-Security-Policy" value="frame-ancestors 'self' *.yourdomain.com;" />
</customHeaders>
</httpProtocol>
</system.webServer>
<system.web>
<deployment retail="true" />
<trace enabled="false" />
<compilation debug="false" />
<httpRuntime enableVersionHeader="false" />
</system.web>
</configuration>
The variables ORIGINAL_URL, HTTP_X_FORWARDED_PROTO, OAUTHSTATE will need to be made known to IIS under the root IIS host URL Rewrite > View Server Variables section. The webconfig above support rewrite rules for a specific subsite. There are also some good security best practices added. Simply change the “yourDomain.com ” to match your FQDN.
1 Like
gtonti
(Gianluca Tonti)
November 24, 2021, 4:24pm
3
Hi Brian,
thank you very much. It’s been very usefull
I’ve been able to solve. Now I have SAML working on HTTPS (IIS Reverse proxy)
Kind Regards
1 Like
kirkpabk
(Brian Kirkpatrick)
December 8, 2021, 2:02pm
4
You are certainly welcome.