We have recently upgraded sonarqube from 6.7.1 to 7.8. After the upgrade, we set up SAML for Azure SSO integration. When I login to sonarqube and then logout, the session logs out and when I again try to login, the pages reload as if it is logged in, but I am not logged in.
Is there an issue in session maintenance for the sonarqube 7.8? When I try the same in incognito, I can login for the first time ut when I logout, the same issue occurs.
The same happens for a normal user created from the user management page.
First of all, could you please tell us which version of the sonar-auth-saml plugin you are using ?
Then, could you please set your server in DEBUG log (in Administration > System > Log level), log in and out and send us the last logs of logs/web.log ?
Thanks for your reply and apologies for delay in response as I was out for vacation. The version is sonar-auth-saml-plugin-1.1.0.181. And Below is the web.log at debug level. The issues occurs when we use login with SAML plugin only.
I was able to see below log in web.log
2020.01.28 09:35:56 INFO web[AW9MhE9fkN0ejU/GBuN0][o.s.u.c.UpdateCenter] The plugin āauthsamlā version : 1.1.0.181 has not been found on the update center.
I am attaching the full logs for your reference.web.log.txt (64.8 KB)
Thatās right. Once I login with SAML, I can see my name properly for the first time. But if I log out and do a login, it is not showing my name in the profile section, it just shows login icon again.
So as you say, when the log out is clicked, even-though the front end shows I am logged out , but the session is still running I believe. That is why when I try to login again, it just redirects to the homepage but the login icon was still appearing.
Are you using any proxy that could prevent the logout to happen ?
Could you check what happen in the web console from your browser when you click on the āLog outā button ? The following HTTP request should be sent : āapi/authentication/logoutā
As thereās a redirection, the web browser is resetting history.
You should select something like āPreserve logā (Chrome), āPersist Logsā (Firefox) in the Inspect tool of your web browser.