[SLOVED] IIS reverse proxy seems to be breaking my SonarQube SAML auth, any ideas?

windows
proxy
saml

(jjs) #1

Hi,

I just installed the newly released SonarQube 7.6 and I’m running it on Windows. I have IIS configured as a reverse proxy infront of it handling the SSL.

The proxy seems to break my SAML setup attempts! The URL that SonarQube should send me to gets rewritten to my own server name (should be adfs.corp.com, not sonarqube.corp.com).

Any ideas?

Has anyone successfully set up SAML 2.0 auth to Microsoft ADFS using IIS as a reverse proxy with SSL off-loading?

UPDATE:
We chose to dump the IIS reverse proxy config as it was breaking SAML requests from SonarQube’s SAML auth module. F5 BIG-IP was selected in our case. Google “iis reverse proxy breaks saml” for a possible solution if you need IIS.

UPDATE2: Here is one fix I tried, others have reported to see this working: https://forums.iis.net/t/1233866.aspx
Basically you need to skip the rewrite if a user is being redirected.


(Julien Lancelot) #3

Hi,

It’s not clear to me what is not working : you’re not redirected to your SonarQube instance after being authenticated on SAML ?

Regards,
Julien Lancelot


(jjs) #4

IIS is rewriting my SAML request that is supposed to contain the URL https://adfs.corp.com/adfs/realm/sonarqube. The browser should be redirected to that location and the login page displayed.

Instead the browser is directed to https://sonarqube.corp.com/adfs/realm/sonarqube which of course does not exist, it should be going to the adfs.corp.com server.

I have followed that blog post you guys link to in your documentation for the IIS reverse proxy, to enable SSL/TLS in front of SonarQube.

BUT i have found a solution. Put a proper reverse proxy in front of SonarQube that is NOT IIS and is not rewriting things.

In my case we chose the F5 BIG-IP product to front SonarQube.


(jjs) #5

This is what is not working:

The browser/user is never sent to the SAML2.0 login page. The user is sent to https://sonarqube.acme.local/adfs/realm/sonarqube which of course does not exist.

The IIS reverse proxy config in the blog post you guys link to in your documentation breaks this and needs to be updated to take into consideration the SAML module.

My solution to this was to dump IIS. We are using another product to front the SonarQube and handle SSL/TLS. In our case we chose F5 BIG-IP.


(G Ann Campbell) #6

Hi,

If we’re linking to a misleading blog post, I’d like to correct that, but I don’t find any mention of IIS in this page: https://docs.sonarqube.org/display/PLUG/SAML+Authentication+Plugin. Could you point me in the right direction, please?

 
Ann


(jjs) #7

Sure thing Ann,

On the bottom of this page you link to the IIS setup blog post:
https://docs.sonarqube.org/latest/setup/operate-server/

This setup is fine for an IIS reverse proxy, but … It seems to break authentication with the SonarQube SAML module.


(G Ann Campbell) #8

Hi,

Thanks for the pointer. In fact, the heading over the blog post link is “Using IIS”, so …

This is not my area. Could you help me understand why / how an IIS blog post ought to be relevant to setting up SAML?

 
Thx,
Ann


(jjs) #9

This IIS setup will break the SAML auth.


(G Ann Campbell) #10

Hi,

Okay, thanks. I’ve added a note to the docs about SAML + IIS. The change will be published with the next release.

 
Ann