SAML with https error

Hi
I am using SonarQubee 8.9 lts
I am using a windows server 2019
I added a reverse proxy on iis to use SSL
I want to login using SAML ADFS
I get an error that is been explained in this post (Receive "not authorized" oauth2/callback/saml response error after upgrade to SonarQube 8.4).

I am not able to understand how to configure IIS to accieve the solution.
Looks to me I have to define and use some server variables in IIS ARR module.

Can someone help me?

Kind Regards
Gianluca

Digging into some of the responses here and through Microsoft will help. But the details you need are here (that are VERY hard to find):

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <clear />
                <rule name="http to https" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{HTTPS}" pattern="^OFF$" />
                    </conditions>
                    <action type="Redirect" url="https://sonarqube.yourdomain.com/{R:1}" appendQueryString="false" />
                </rule>
                <rule name="Redirect Shortname to FQDN" stopProcessing="true">
                    <match url="^(.*)$" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{HTTP_HOST}" pattern="^.*\.yourdomain\.com$" negate="true" />
                    </conditions>
                    <action type="Redirect" url="https://sonarqube.yourdomain.com/{R:1}" />
                </rule>
                <rule name="ReverseProxyToSonarQube9000" stopProcessing="false">
                    <match url="(.*)" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="true" />
                    <serverVariables>
                        <set name="ORIGINAL_URL" value="{HTTP_HOST}" />
                        <set name="HTTP_X_FORWARDED_PROTO" value="https" />
                        <set name="OAUTHSTATE" value="{OAUTHSTATE}" />
                    </serverVariables>
                    <action type="Rewrite" url="http://sonarqube.yourdomain.com:9000/{R:1}" logRewrittenUrl="true" />
                </rule>
            </rules>
        </rewrite>
        <security>
            <requestFiltering>
            	<denyUrlSequences>
               		<add sequence=".." />
               		<add sequence=":" />
            	</denyUrlSequences>
              <requestLimits maxQueryString="8024" />
            </requestFiltering>
        </security>
    	<httpProtocol>
    	    <customHeaders>
         	    	<remove name="Server" />	
         	    <remove name="X-Powered-By" />	
								<add name="X-Frame-Options" value="sameorigin" />
                <add name="X-XSS-Protection" value="1; mode=block" />
                <add name="X-Content-Type-Options" value="nosniff" />
                <add name="Referrer-Policy" value="strict-origin" />

                <add name="Strict-Transport-Security" value="15552001;includeSubDomains;preload;redirectHttpToHttps=true" />
                <add name="Content-Security-Policy" value="frame-ancestors 'self' *.yourdomain.com;" />
	        </customHeaders>
    	</httpProtocol>
    </system.webServer>
    <system.web>
	      <deployment retail="true" />
 	      <trace enabled="false" />
	      <compilation debug="false" />
	      <httpRuntime enableVersionHeader="false" />	
    </system.web>
</configuration>

The variables ORIGINAL_URL, HTTP_X_FORWARDED_PROTO, OAUTHSTATE will need to be made known to IIS under the root IIS host URL Rewrite > View Server Variables section. The webconfig above support rewrite rules for a specific subsite. There are also some good security best practices added. Simply change the “yourDomain.com” to match your FQDN.

1 Like

Hi Brian,

thank you very much. It’s been very usefull
I’ve been able to solve. Now I have SAML working on HTTPS (IIS Reverse proxy)

Kind Regards

1 Like