Single Sign-On (SSO) not going to Microsoft?

I’m using SonarQube version 8.9.0.43852 and am trying to to get SSO with Azure to work.

I’ve tried following the guide at Tutorial: Azure AD SSO integration with Sonarqube | Microsoft Docs and have double-checked that every setting is correct for which I’m fairly confident that I have done. My setup basically looks the same as the screenshots.

What happens is that the “Log in with SAML” button appears, but when I click it, it points back to https://sqserver.mycompany.com/sessions/init/saml?return_to=%2F4461b933-abfd-3318-b363-654362fdf1a2%2Fsaml2%3FSAMLRequest%3DfZLLbts… and then nothing happens. The browser just redirects straight back to the same login screen with the “Log in with SAML” button.

I’ve also tried installing the plugin Azure Active Directory (AAD) Authentication Plug-in for SonarQube version 1.2.0, which adds the “Log in with Microsoft” button, but after configuring it using the following guide: SonarQube Integration with Azure Active Directory, the exact same behavior happens, only this time the link is ‘slightly’ different where ‘saml’ is replaced by ‘aad’:
https://sqserver.mycompany.com/sessions/init/aad?return_to=%2F4461b933-abfd-3318-b363-654362fdf1a2%2Fsaml2%3FSAMLRequest%3DfZLLbts

I also have HTTPS set up using IIS as a reverse proxy and a certificate which appears to work ok.

After using an intercepting proxy to help troubleshoot, I’m not seeing any request go off to Microsoft at any point and no errors in the browser.

Is this normal behavior and have I understood this setup correctly? If so, why might my SSO not be working?

Hey there.

I’m going to stick to discussing SAML since it is supported officially. :slight_smile:

How have you configured your SAML login url? With a Microsoft URL or a SonarQube URL?

You may also be able to get more information by bumping up your log level (Global Administration > System) and checking your web.log file when you try and initiate the SAML request. It will give you a better idea of what is happening when you click that button.

Thanks for your response Colin,

The SAML login URL is: https://login.microsoftonline.com/2829c930-bdfc-4911-b583-522370fff1a2/saml2 (I’ve modified variables such as the GUID to random for posting this)

DEBUG logs are below:

2022.01.24 11:09:58 DEBUG web[AX5w7EcvEBz8swB9AAQp][c.o.saml2.Auth] Settings validated
2022.01.24 11:09:58 DEBUG web[AX5w7EcvEBz8swB9AAQp][c.o.s.a.AuthnRequest] AuthNRequest --> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_3dbca04e-9946-4f1e-8ea2-638a1b34472e" Version="2.0" IssueInstant="2022-01-24T00:09:58Z" Destination="https://login.microsoftonline.com/2829c930-bdfc-4911-b583-522370fff1a2/saml2" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://localhost:9000/oauth2/callback/saml"><saml:Issuer>sonarqube</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest>
2022.01.24 11:09:58 DEBUG web[AX5w7EcvEBz8swB9AAQp][c.o.saml2.Auth] AuthNRequest sent to https://login.microsoftonline.com/2829c930-bdfc-4911-b583-522370fff1a2/saml2 --> aVJNbxoxFPwrK9/Nej/LWoBEQ9oiUUCB9tBL9da8DVa8NvHzts2/j7OkUnpoTpbGb8Yzbzwj6M1FLodwtnf4OCCF5E9vLMnxYs4Gb6UD0iQt9EgyKHlYft3IfCLkxbvglDPsDeV9BhChD9pZlqxXc7bb3m52n9fbn8WpVSBK5E1T1rzsMuRThJzXxRSytijLDzmy5Dt6itw5i1JRgGjAtaUANkRI5DkXGc/LoxBSNLKa/mDJKubRFsLIOodwIZmmxt1rO+m18o5cF5w12uJEuT6tm6qBohIcuk7xchr12qoueF01RS067DKVpS8pc5bsX8N/1Pak7f37udvrEMkvx+Oe73eHI0uWf3dx4ywNPfoD+l9a4be7zdXraFWBOTsKshFCpA5iT3kaMdOCehitsMXs5ZDjOvyCnAX/OLQ4S9/Cs2vP2+hsvdo7o9VT8sn5HsL/jWeTbET0iXfjqBwsXVDpTuMp+jfG/b7xCAHnLPghFpQurq/++6EWzq==
2022.01.24 11:09:58 DEBUG web[AX5w7EcvEBz8swB9AAQq][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:09:59 DEBUG web[AX5w7EcvEBz8swB9AAQr][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:09:59 DEBUG web[AX5w7EcvEBz8swB9AAQt][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:09:59 DEBUG web[AX5w7EcvEBz8swB9AAQv][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:02 DEBUG web[AX5w7EcvEBz8swB9AAQz][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:02 DEBUG web[AX5w7EcvEBz8swB9AAQ0][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:02 DEBUG web[AX5w7EcvEBz8swB9AAQ2][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:02 DEBUG web[AX5w7EcvEBz8swB9AAQ4][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:03 DEBUG web[AX5w7EcvEBz8swB9AAQ7][c.o.saml2.Auth] Settings validated
2022.01.24 11:10:03 DEBUG web[AX5w7EcvEBz8swB9AAQ7][c.o.s.a.AuthnRequest] AuthNRequest --> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_c4b84dc6-372d-4438-9c37-2441df639454" Version="2.0" IssueInstant="2022-01-24T00:10:03Z" Destination="https://login.microsoftonline.com/2829c930-bdfc-4911-b583-522370fff1a2/saml2" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://localhost:9000/oauth2/callback/saml"><saml:Issuer>sonarqube</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest>
2022.01.24 11:10:03 DEBUG web[AX5w7EcvEBz8swB9AAQ7][c.o.saml2.Auth] AuthNRequest sent to https://login.microsoftonline.com/2829c930-bdfc-4911-b583-522370fff1a2/saml2 --> fZJPb+MgEMW/isWdGNvYjVESKdvsn0jZJGqye9jLCuNxgxZDyuBt++1LnVZqD+0J6TFv+L0ZZih7cxbLIZzsDdwNgCF56I1FMV7MyeCtcBI1Cit7QBGUOCx/bkQ+YeLsXXDKGfLG8rlDIoIP2lmSrFdzstt+3ey+r7d/FW+mvFUVLa7ylnJeTGmtiiuac561XVXUvOQk+Q0eo3dOYqvYAHGAtcUgbYgSy3PKsug4MiYyJljxhySrmEdbGUbXKYQzijQ17lbbSa+Vd+i64KqRFibK9WlVl7UsSkZl1ynKp7FfU1YFrcq6qFgHXaay9DllTpL9S/gv2rba3n6eu7kUofhxPO7pfnc4kmT5OotrZ3HowR/A/9cKft1sLqwjqpLm5DCImjGWOhn3lKdRM41U/0YUspg9H2Ich1+gs9LfDQ3M0rfy7LLnbSRbd/bOaPWYfHO+l+Fj8GySjYpuaTeWisHiGZTaNLSR3xh3f+1BBpiT4AcgSbq4vPr+Qy2eAA==
2022.01.24 11:10:03 DEBUG web[AX5w7EcvEBz8swB9AAQ8][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:03 DEBUG web[AX5w7EcvEBz8swB9AAQ+][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:03 DEBUG web[AX5w7EcvEBz8swB9AAQ/][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:03 DEBUG web[AX5w7EcvEBz8swB9AARB][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:04 DEBUG web[AX5w7EcvEBz8swB9AARF][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:04 DEBUG web[AX5w7EcvEBz8swB9AARH][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:04 DEBUG web[AX5w7EcvEBz8swB9AARI][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:04 DEBUG web[AX5w7EcvEBz8swB9AARK][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|]
2022.01.24 11:10:10 DEBUG web[AX5w7EcvEBz8swB9AARN][auth.event] login success [method|FORM][provider|LOCAL|local][IP|fe80:0:0:0:1528:469:d6ce:998a%4|[2405:b000:600:b0::54a6]:52036][login|admin]
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARY][o.a.h.i.n.c.MainClientExec] [exchange: 125] start execution
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARY][o.a.h.c.p.RequestAddCookies] CookieSpec selected: default
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARY][o.a.h.c.p.RequestAuthCache] Re-using cached 'basic' auth scheme for http://127.0.0.1:9001
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARY][o.a.h.c.p.RequestAuthCache] No credentials for preemptive authentication
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARY][o.a.h.i.n.c.InternalHttpAsyncClient] [exchange: 125] Request connection for {}->http://127.0.0.1:9001
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARY][o.a.h.i.n.c.PoolingNHttpClientConnectionManager] Connection request: [route: {}->http://127.0.0.1:9001][total kept alive: 1; route allocated: 1 of 10; total allocated: 1 of 30]
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARY][o.a.h.i.n.c.PoolingNHttpClientConnectionManager] Connection leased: [id: http-outgoing-0][route: {}->http://127.0.0.1:9001][total kept alive: 0; route allocated: 1 of 10; total allocated: 1 of 30]
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARY][o.a.h.i.n.c.InternalHttpAsyncClient] [exchange: 125] Connection allocated: CPoolProxy{http-outgoing-0 [ACTIVE]}
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 125] Attempt 1 to execute request
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 125] Target auth state: UNCHALLENGED
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 125] Proxy auth state: UNCHALLENGED
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> POST /projectmeasures/auth/_search?typed_keys=true&max_concurrent_shard_requests=5&ignore_unavailable=false&expand_wildcards=open&allow_no_indices=true&ignore_throttled=true&search_type=query_then_fetch&batched_reduce_size=512&ccs_minimize_roundtrips=true HTTP/1.1
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> Content-Length: 846
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> Content-Type: application/json
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> Host: 127.0.0.1:9001
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> Connection: Keep-Alive
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> User-Agent: elasticsearch-java/7.12.1-SNAPSHOT (Java/11.0.13)
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> X-Elastic-Client-Meta: es=7.12.1-SNAPSHOT,jv=11,t=7.12.1-SNAPSHOT,hc=4.1.4,kt=1.4
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 125] produce content
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 125] Request completed
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 << HTTP/1.1 200 OK
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 << content-type: application/json; charset=UTF-8
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 << content-length: 160
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 125] Response received HTTP/1.1 200 OK
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 125] Consume content
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.InternalHttpAsyncClient] [exchange: 125] Connection can be kept alive indefinitely
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 125] Response processed
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.InternalHttpAsyncClient] [exchange: 125] releasing connection
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.PoolingNHttpClientConnectionManager] Releasing connection: [id: http-outgoing-0][route: {}->http://127.0.0.1:9001][total kept alive: 0; route allocated: 1 of 10; total allocated: 1 of 30]
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.PoolingNHttpClientConnectionManager] Connection [id: http-outgoing-0][route: {}->http://127.0.0.1:9001] can be kept alive indefinitely
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.PoolingNHttpClientConnectionManager] Connection released: [id: http-outgoing-0][route: {}->http://127.0.0.1:9001][total kept alive: 1; route allocated: 1 of 10; total allocated: 1 of 30]
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARc][o.a.h.i.n.c.MainClientExec] [exchange: 126] start execution
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARc][o.a.h.c.p.RequestAddCookies] CookieSpec selected: default
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARc][o.a.h.c.p.RequestAuthCache] Re-using cached 'basic' auth scheme for http://127.0.0.1:9001
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARc][o.a.h.c.p.RequestAuthCache] No credentials for preemptive authentication
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARc][o.a.h.i.n.c.InternalHttpAsyncClient] [exchange: 126] Request connection for {}->http://127.0.0.1:9001
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARc][o.a.h.i.n.c.PoolingNHttpClientConnectionManager] Connection request: [route: {}->http://127.0.0.1:9001][total kept alive: 1; route allocated: 1 of 10; total allocated: 1 of 30]
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARc][o.a.h.i.n.c.PoolingNHttpClientConnectionManager] Connection leased: [id: http-outgoing-0][route: {}->http://127.0.0.1:9001][total kept alive: 0; route allocated: 1 of 10; total allocated: 1 of 30]
2022.01.24 11:10:15 DEBUG web[AX5w7EcvEBz8swB9AARc][o.a.h.i.n.c.InternalHttpAsyncClient] [exchange: 126] Connection allocated: CPoolProxy{http-outgoing-0 [ACTIVE]}
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 126] Attempt 1 to execute request
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 126] Target auth state: UNCHALLENGED
2022.01.24 11:10:15 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 126] Proxy auth state: UNCHALLENGED
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> POST /projectmeasures/auth/_search?typed_keys=true&max_concurrent_shard_requests=5&ignore_unavailable=false&expand_wildcards=open&allow_no_indices=true&ignore_throttled=true&search_type=query_then_fetch&batched_reduce_size=512&ccs_minimize_roundtrips=true HTTP/1.1
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> Content-Length: 7196
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> Content-Type: application/json
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> Host: 127.0.0.1:9001
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> Connection: Keep-Alive
2022.01.24 11:10:15 DEBUG web[][o.a.http.headers] http-outgoing-0 >> User-Agent: elasticsearch-java/7.12.1-SNAPSHOT (Java/11.0.13)

So I made some good progress, figuring out that I needed to make 2 changes to at least get the redirect to microsoftonline.com working properly.

1 - In IIS settings, under Application Request Routing > Proxy settings, I needed to uncheck the box “Reverse rewrite in response headers”
2 - In Sonarqube, I needed to go to Admin > Configuration > General and then scroll down to the “Server base URL” setting and set it to https://mydomain.com

The SSO steps looks like it’s working up until one point now where I get the error:
You’re not authorized to access this page. Please contact the administrator.

Reason: The response was received at http://localhost:9000/oauth2/callback/saml instead of https://mydomain.com/oauth2/callback/saml

I’ve also upgraded to Sonarqube Developer version 9.4. I’ve googled for other fixes for this error but none of their suggestions have resolved this error. Obtaining TRACE web logs only reveals the same error with no further details to the error above.

Hey there.

You might find this guide helpful:

1 Like

Colin is the MVP here, thankyou so much Colin!

So in summary, I needed to perform 5 actions as follows:
1 - In IIS settings, under Application Request Routing > Proxy settings, uncheck the box “Reverse rewrite in response headers”
2 - In IIS settings, under URL Rewrite > View Server Variables, add HTTP_X_FORWARDED_PROTO as an allowed server variable.
3 - In IIS settings, under URL Rewrite > Edit inbound rule, add HTTP_X_FORWARDED_PROTO for https (I did this in addition to X_FORWARDED_PROTO).
4 - In Sonarqube, I needed to go to Admin > Configuration > General and then scroll down to the “Server base URL” setting and set it to https://mydomain.com
5 - On the sonarqube server’s cmd prompt, run the command ‘%windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/proxy -preserveHostHeader:true /commit:apphost’

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.