Setting up SAML auth with Azure idp

(Aram Mirzadeh) #1

Current Configuration:

  • SonarQube version - 7. (Centos 7)
  • SAML 2.0 Plugin version - 1.1.0 (build 181)
  • Administration > Security > Force user authentication = Enabled

Goal:

We would like to make SAML 2.0 SSO the primary method of logging in users.

Issue:

We have configured the idp and the plugin information, upon visting https://sonar.mycompany.com it forwards you the azure login page, after auth it redirects you back to the sonar url which throws an error:

2019.05.13 14:05:33 WARN  web[AWqxdFBg8jorj0QsAABt][o.s.s.a.AuthenticationError] Fail to initialize authentication with provider 'saml'
java.lang.IllegalStateException: Fail to create Auth
        at org.sonarsource.auth.saml.SamlIdentityProvider.newAuth(SamlIdentityProvider.java:131)
        at org.sonarsource.auth.saml.SamlIdentityProvider.init(SamlIdentityProvider.java:97)
        at org.sonar.server.authentication.InitFilter.handleOAuth2IdentityProvider(InitFilter.java:114)
        at org.sonar.server.authentication.InitFilter.handleProvider(InitFilter.java:83)
        at org.sonar.server.authentication.InitFilter.doFilter(InitFilter.java:73)
        at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:126)
        at org.sonar.server.platform.web.MasterServletFilter.doFilter(MasterServletFilter.java:95)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.sonar.server.user.UserSessionFilter.doFilter(UserSessionFilter.java:87)
        at org.sonar.server.user.UserSessionFilter.doFilter(UserSessionFilter.java:71)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.sonar.server.platform.web.CacheControlFilter.doFilter(CacheControlFilter.java:76)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.sonar.server.platform.web.SecurityServletFilter.doHttpFilter(SecurityServletFilter.java:76)
        at org.sonar.server.platform.web.SecurityServletFilter.doFilter(SecurityServletFilter.java:48)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.sonar.server.platform.web.RedirectFilter.doFilter(RedirectFilter.java:61)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.sonar.server.platform.web.requestid.RequestIdFilter.doFilter(RequestIdFilter.java:63)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.sonar.server.platform.web.RootFilter.doFilter(RootFilter.java:62)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:109)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
        at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:256)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)
Caused by: com.onelogin.saml2.exception.SettingsException: Invalid settings: idp_sso_url_invalid
        at com.onelogin.saml2.Auth.<init>(Auth.java:224)
        at org.sonarsource.auth.saml.SamlIdentityProvider.newAuth(SamlIdentityProvider.java:129)
        ... 48 common frames omitted
(Julien Lancelot) #4

It seems that the value of sonar.auth.saml.certificate.secured is incorrect, could you check its value ?

(Aram Mirzadeh) #5

Yes that was the issue, the URL for the value was http and not https.

(Julien Lancelot) #6

Great, thanks for the confirmation and explaining the exact issue.