echohp
January 20, 2022, 4:46am
1
I’m using SonarQube version 8.9.0.43852 and am trying to to get SSO with Azure to work.
I’ve tried following the guide at Tutorial: Azure AD SSO integration with Sonarqube | Microsoft Docs and have double-checked that every setting is correct for which I’m fairly confident that I have done. My setup basically looks the same as the screenshots.
What happens is that the “Log in with SAML” button appears, but when I click it, it points back to https://sqserver.mycompany.com/sessions/init/saml?return_to=%2F4461b933-abfd-3318-b363-654362fdf1a2%2Fsaml2%3FSAMLRequest%3DfZLLbts … and then nothing happens. The browser just redirects straight back to the same login screen with the “Log in with SAML” button.
I’ve also tried installing the plugin Azure Active Directory (AAD) Authentication Plug-in for SonarQube version 1.2.0, which adds the “Log in with Microsoft” button, but after configuring it using the following guide: SonarQube Integration with Azure Active Directory , the exact same behavior happens, only this time the link is ‘slightly’ different where ‘saml’ is replaced by ‘aad’:https://sqserver.mycompany.com/sessions/init/aad?return_to=%2F4461b933-abfd-3318-b363-654362fdf1a2%2Fsaml2%3FSAMLRequest%3DfZLLbts …
I also have HTTPS set up using IIS as a reverse proxy and a certificate which appears to work ok.
After using an intercepting proxy to help troubleshoot, I’m not seeing any request go off to Microsoft at any point and no errors in the browser.
Is this normal behavior and have I understood this setup correctly? If so, why might my SSO not be working?
Colin
January 20, 2022, 1:04pm
2
Hey there.
I’m going to stick to discussing SAML since it is supported officially.
How have you configured your SAML login url ? With a Microsoft URL or a SonarQube URL?
You may also be able to get more information by bumping up your log level (Global Administration > System ) and checking your web.log file when you try and initiate the SAML request. It will give you a better idea of what is happening when you click that button.
echohp
January 24, 2022, 12:27am
3
Thanks for your response Colin,
The SAML login URL is: https://login.microsoftonline.com/2829c930-bdfc-4911-b583-522370fff1a2/saml2 (I’ve modified variables such as the GUID to random for posting this)
DEBUG logs are below:
2022.01.24 11:09:58 DEBUG web[AX5w7EcvEBz8swB9AAQp][c.o.saml2.Auth] Settings validated
2022.01.24 11:09:58 DEBUG web[AX5w7EcvEBz8swB9AAQp][c.o.s.a.AuthnRequest] AuthNRequest --> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_3dbca04e-9946-4f1e-8ea2-638a1b34472e" Version="2.0" IssueInstant="2022-01-24T00:09:58Z" Destination="https://login.microsoftonline.com/2829c930-bdfc-4911-b583-522370fff1a2/saml2" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://localhost:9000/oauth2/callback/saml"><saml:Issuer>sonarqube</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest>
2022.01.24 11:09:58 DEBUG web[AX5w7EcvEBz8swB9AAQp][c.o.saml2.Auth] AuthNRequest sent to https://login.microsoftonline.com/2829c930-bdfc-4911-b583-522370fff1a2/saml2 --> aVJNbxoxFPwrK9/Nej/LWoBEQ9oiUUCB9tBL9da8DVa8NvHzts2/j7OkUnpoTpbGb8Yzbzwj6M1FLodwtnf4OCCF5E9vLMnxYs4Gb6UD0iQt9EgyKHlYft3IfCLkxbvglDPsDeV9BhChD9pZlqxXc7bb3m52n9fbn8WpVSBK5E1T1rzsMuRThJzXxRSytijLDzmy5Dt6itw5i1JRgGjAtaUANkRI5DkXGc/LoxBSNLKa/mDJKubRFsLIOodwIZmmxt1rO+m18o5cF5w12uJEuT6tm6qBohIcuk7xchr12qoueF01RS067DKVpS8pc5bsX8N/1Pak7f37udvrEMkvx+Oe73eHI0uWf3dx4ywNPfoD+l9a4be7zdXraFWBOTsKshFCpA5iT3kaMdOCehitsMXs5ZDjOvyCnAX/OLQ4S9/Cs2vP2+hsvdo7o9VT8sn5HsL/jWeTbET0iXfjqBwsXVDpTuMp+jfG/b7xCAHnLPghFpQurq/++6EWzq==
2022.01.24 11:09:58 DEBUG web[AX5w7EcvEBz8swB9AAQq][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:09:59 DEBUG web[AX5w7EcvEBz8swB9AAQr][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:09:59 DEBUG web[AX5w7EcvEBz8swB9AAQt][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:09:59 DEBUG web[AX5w7EcvEBz8swB9AAQv][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:02 DEBUG web[AX5w7EcvEBz8swB9AAQz][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:02 DEBUG web[AX5w7EcvEBz8swB9AAQ0][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:02 DEBUG web[AX5w7EcvEBz8swB9AAQ2][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:02 DEBUG web[AX5w7EcvEBz8swB9AAQ4][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:03 DEBUG web[AX5w7EcvEBz8swB9AAQ7][c.o.saml2.Auth] Settings validated
2022.01.24 11:10:03 DEBUG web[AX5w7EcvEBz8swB9AAQ7][c.o.s.a.AuthnRequest] AuthNRequest --> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_c4b84dc6-372d-4438-9c37-2441df639454" Version="2.0" IssueInstant="2022-01-24T00:10:03Z" Destination="https://login.microsoftonline.com/2829c930-bdfc-4911-b583-522370fff1a2/saml2" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://localhost:9000/oauth2/callback/saml"><saml:Issuer>sonarqube</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest>
2022.01.24 11:10:03 DEBUG web[AX5w7EcvEBz8swB9AAQ7][c.o.saml2.Auth] AuthNRequest sent to https://login.microsoftonline.com/2829c930-bdfc-4911-b583-522370fff1a2/saml2 --> fZJPb+MgEMW/isWdGNvYjVESKdvsn0jZJGqye9jLCuNxgxZDyuBt++1LnVZqD+0J6TFv+L0ZZih7cxbLIZzsDdwNgCF56I1FMV7MyeCtcBI1Cit7QBGUOCx/bkQ+YeLsXXDKGfLG8rlDIoIP2lmSrFdzstt+3ey+r7d/FW+mvFUVLa7ylnJeTGmtiiuac561XVXUvOQk+Q0eo3dOYqvYAHGAtcUgbYgSy3PKsug4MiYyJljxhySrmEdbGUbXKYQzijQ17lbbSa+Vd+i64KqRFibK9WlVl7UsSkZl1ynKp7FfU1YFrcq6qFgHXaay9DllTpL9S/gv2rba3n6eu7kUofhxPO7pfnc4kmT5OotrZ3HowR/A/9cKft1sLqwjqpLm5DCImjGWOhn3lKdRM41U/0YUspg9H2Ich1+gs9LfDQ3M0rfy7LLnbSRbd/bOaPWYfHO+l+Fj8GySjYpuaTeWisHiGZTaNLSR3xh3f+1BBpiT4AcgSbq4vPr+Qy2eAA==
2022.01.24 11:10:03 DEBUG web[AX5w7EcvEBz8swB9AAQ8][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:03 DEBUG web[AX5w7EcvEBz8swB9AAQ+][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:03 DEBUG web[AX5w7EcvEBz8swB9AAQ/][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:03 DEBUG web[AX5w7EcvEBz8swB9AARB][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:04 DEBUG web[AX5w7EcvEBz8swB9AARF][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:04 DEBUG web[AX5w7EcvEBz8swB9AARH][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:04 DEBUG web[AX5w7EcvEBz8swB9AARI][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:04 DEBUG web[AX5w7EcvEBz8swB9AARK][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:10 DEBUG web[AX5w7EcvEBz8swB9AARN][auth.event] login success [method|FORM][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|admin]
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARY][o.a.h.i.n.c.MainClientExec] [exchange: 125] start execution
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARY][o.a.h.c.p.RequestAddCookies] CookieSpec selected: default
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARY][o.a.h.c.p.RequestAuthCache] Re-using cached 'basic' auth scheme for http://127.0.0.1:9001
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARY][o.a.h.c.p.RequestAuthCache] No credentials for preemptive authentication
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARY][o.a.h.i.n.c.InternalHttpAsyncClient] [exchange: 125] Request connection for {}->http://127.0.0.1:9001
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARY][o.a.h.i.n.c.PoolingNHttpClientConnectionManager] Connection request: [route: {}->http://127.0.0.1:9001][total kept alive: 1; route allocated: 1 of 10; total allocated: 1 of 30]
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARY][o.a.h.i.n.c.PoolingNHttpClientConnectionManager] Connection leased: [id: http-outgoing-0][route: {}->http://127.0.0.1:9001][total kept alive: 0; route allocated: 1 of 10; total allocated: 1 of 30]
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARY][o.a.h.i.n.c.InternalHttpAsyncClient] [exchange: 125] Connection allocated: CPoolProxy{http-outgoing-0 [ACTIVE]}
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 125] Attempt 1 to execute request
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 125] Target auth state: UNCHALLENGED
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 125] Proxy auth state: UNCHALLENGED
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> POST /projectmeasures/auth/_search?typed_keys=true&max_concurrent_shard_requests=5&ignore_unavailable=false&expand_wildcards=open&allow_no_indices=true&ignore_throttled=true&search_type=query_then_fetch&batched_reduce_size=512&ccs_minimize_roundtrips=true HTTP/1.1
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> Content-Length: 846
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> Content-Type: application/json
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> Host: 127.0.0.1:9001
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> Connection: Keep-Alive
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> User-Agent: elasticsearch-java/7.12.1-SNAPSHOT (Java/11.0.13)
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> X-Elastic-Client-Meta: es=7.12.1-SNAPSHOT,jv=11,t=7.12.1-SNAPSHOT,hc=4.1.4,kt=1.4
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 125] produce content
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 125] Request completed
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 << HTTP/1.1 200 OK
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 << content-type: application/json; charset=UTF-8
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 << content-length: 160
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 125] Response received HTTP/1.1 200 OK
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 125] Consume content
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.InternalHttpAsyncClient] [exchange: 125] Connection can be kept alive indefinitely
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 125] Response processed
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.InternalHttpAsyncClient] [exchange: 125] releasing connection
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.PoolingNHttpClientConnectionManager] Releasing connection: [id: http-outgoing-0][route: {}->http://127.0.0.1:9001][total kept alive: 0; route allocated: 1 of 10; total allocated: 1 of 30]
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.PoolingNHttpClientConnectionManager] Connection [id: http-outgoing-0][route: {}->http://127.0.0.1:9001] can be kept alive indefinitely
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.PoolingNHttpClientConnectionManager] Connection released: [id: http-outgoing-0][route: {}->http://127.0.0.1:9001][total kept alive: 1; route allocated: 1 of 10; total allocated: 1 of 30]
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARc][o.a.h.i.n.c.MainClientExec] [exchange: 126] start execution
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARc][o.a.h.c.p.RequestAddCookies] CookieSpec selected: default
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARc][o.a.h.c.p.RequestAuthCache] Re-using cached 'basic' auth scheme for http://127.0.0.1:9001
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARc][o.a.h.c.p.RequestAuthCache] No credentials for preemptive authentication
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARc][o.a.h.i.n.c.InternalHttpAsyncClient] [exchange: 126] Request connection for {}->http://127.0.0.1:9001
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARc][o.a.h.i.n.c.PoolingNHttpClientConnectionManager] Connection request: [route: {}->http://127.0.0.1:9001][total kept alive: 1; route allocated: 1 of 10; total allocated: 1 of 30]
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARc][o.a.h.i.n.c.PoolingNHttpClientConnectionManager] Connection leased: [id: http-outgoing-0][route: {}->http://127.0.0.1:9001][total kept alive: 0; route allocated: 1 of 10; total allocated: 1 of 30]
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARc][o.a.h.i.n.c.InternalHttpAsyncClient] [exchange: 126] Connection allocated: CPoolProxy{http-outgoing-0 [ACTIVE]}
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 126] Attempt 1 to execute request
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 126] Target auth state: UNCHALLENGED
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 126] Proxy auth state: UNCHALLENGED
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> POST /projectmeasures/auth/_search?typed_keys=true&max_concurrent_shard_requests=5&ignore_unavailable=false&expand_wildcards=open&allow_no_indices=true&ignore_throttled=true&search_type=query_then_fetch&batched_reduce_size=512&ccs_minimize_roundtrips=true HTTP/1.1
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> Content-Length: 7196
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> Content-Type: application/json
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> Host: 127.0.0.1:9001
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> Connection: Keep-Alive
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> User-Agent: elasticsearch-java/7.12.1-SNAPSHOT (Java/11.0.13)
echohp
April 30, 2022, 1:36pm
4
So I made some good progress, figuring out that I needed to make 2 changes to at least get the redirect to microsoftonline.com working properly.
1 - In IIS settings, under Application Request Routing > Proxy settings, I needed to uncheck the box “Reverse rewrite in response headers”https://mydomain.com
The SSO steps looks like it’s working up until one point now where I get the error:
Reason: The response was received at http://localhost:9000/oauth2/callback/saml instead of https://mydomain.com/oauth2/callback/saml
I’ve also upgraded to Sonarqube Developer version 9.4. I’ve googled for other fixes for this error but none of their suggestions have resolved this error. Obtaining TRACE web logs only reveals the same error with no further details to the error above.
2 Likes
Colin
May 2, 2022, 6:54am
5
Hey there.
You might find this guide helpful:
Hey SonarQube Users!
When operating a SonarQube instance, the supported way to serve SonarQube over HTTPS is to secure the server behind a proxy . For those who host their SonarQube server on Windows, the reverse proxy of choice is often IIS .
The intent of this guide is not to elaborate on how to set up a reverse proxy with IIS. There are more than enough IIS gurus out there and tutorials in existence to get you started.
The goal is to focus on two tricky, and relatively new requirements to ha…
1 Like
echohp
May 3, 2022, 7:05am
6
Colin is the MVP here, thankyou so much Colin!
So in summary, I needed to perform 5 actions as follows:https://mydomain.com
2 Likes
system
May 10, 2022, 7:05am
7
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.
