Sonar Qube LDAP configuration

SonarQube version : sonarqube-8.2.0.32929-developer-edition
Trying to implement LDAP for single sign on. I am facing the below error please help me to fix this issue

Settings used:-

LDAP configuration

sonar.core.serverBaseURL=https://companydomain.com

General Configuration

sonar.security.realm=LDAP
sonar.authenticator.downcase=true
ldap.url=ldaps://companydomain.com:636
ldap.bindDn=CN=serviceaccount,OU=SpecialUsers,DC=companyname,DC=com
ldap.bindPassword=password

User Configuration

ldap.user.baseDn=OU=Users,DC=companyname,DC=com
ldap.user.request=(&(objectClass=person)(memberOf=CN=Sonar_Qube_DEV,OU=entitlements,OU=SonarQube,OU=Groups,DC=companyname,DC=com))
ldap.user.realNameAttribute=cn

Group Configuration

ldap.group.baseDn=CN=Sonar_Qube_DEV,OU=entitlements,OU=SonarQube,OU=Groups,DC=companyname,DC=com
ldap.group.request= member=*

Error:-
2020.07.29 04:27:48 INFO web[org.sonar.INFO] Security realm: LDAP
2020.07.29 04:27:48 INFO web[o.s.a.l.LdapSettingsManager] User mapping: LdapUserMapping{baseDn=OU=Users,DC=MerckGroup,DC=com, request=(&(objectClass=person)(memberOf=CN=Sonar_Qube_DEV,OU=entitlements,OU=SonarQube,OU=Groups,DC=MerckGroup,DC=com)), realNameAttribute=cn, emailAttribute=dnapS115671}
2020.07.29 04:27:48 ERROR web[o.s.s.p.Platform] Background initialization failed. Stopping SonarQube
org.sonar.api.utils.SonarException: Security realm fails to start: null

Greetings Preetham
and welcome to SonarSource community forum.

Did you solve your issue?

In case you did not a few tips:

  • activate DEBUG logs so that you understand more precisely what or where the configuration load went wrong.
  • use ldapsearch CLI tool in order to validate your mappings and search requests parameters
  • get some advice from your LDAP admin team

And to me your ldap group request seems odd.

Have a good day.
Sylvain

Thanks for the response Sylvain.
resolved the ldap issue working as expected now.

New problem:-
we are facing one more issue while integrating SAML with ping federate.
any idea where we can assign the ACS(Assertionconsumerservice) url? where we can find the metadafile? if not available by default where we have to place the metadata file?

Thanks in advance.

Hi Preetham
I have no particular know-how about pingfederate SAML implementation. You may find a few references about it in this forum though.

Can you explain what you can’t configure on SonarQube to have your SAML setup up and running?
As for LDAP, you may apply verbose logs for SAML settings troubleshooting, and feel free to share some of them here.

Best.
Sylvain

Hi Sylvain,

while doing SAML implementation we are facing the below issue:
application error
image
log error:-
2020.08.12 01:08:51 ERROR web[AXPhRrsNRxQ13c0ZAACD][c.o.saml2.Auth] processResponse error.SAML Response not found, Only supported HTTP_POST Binding
2020.08.12 01:08:51 WARN web[AXPhRrsNRxQ13c0ZAACD][o.s.s.a.AuthenticationError] Fail to callback authentication with ‘saml’
java.lang.IllegalStateException: Fail to process response
at org.sonar.auth.saml.SamlIdentityProvider.processResponse(SamlIdentityProvider.java:151)
at org.sonar.auth.saml.SamlIdentityProvider.callback(SamlIdentityProvider.java:119)
at org.sonar.server.authentication.OAuth2CallbackFilter.handleOAuth2Provider(OAuth2CallbackFilter.java:98)
at org.sonar.server.authentication.OAuth2CallbackFilter.handleProvider(OAuth2CallbackFilter.java:77)
at org.sonar.server.authentication.OAuth2CallbackFilter.doFilter(OAuth2CallbackFilter.java:70)
at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:139)
at org.sonar.server.platform.web.MasterServletFilter.doFilter(MasterServletFilter.java:108)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:88)
at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:72)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.sonar.server.platform.web.CacheControlFilter.doFilter(CacheControlFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.sonar.server.platform.web.SecurityServletFilter.doHttpFilter(SecurityServletFilter.java:76)
at org.sonar.server.platform.web.SecurityServletFilter.doFilter(SecurityServletFilter.java:48)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.sonar.server.platform.web.RedirectFilter.doFilter(RedirectFilter.java:58)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.sonar.server.platform.web.RequestIdFilter.doFilter(RequestIdFilter.java:66)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.sonar.server.platform.web.RootFilter.doFilter(RootFilter.java:62)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:109)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:256)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:615)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1627)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: com.onelogin.saml2.exception.Error: SAML Response not found, Only supported HTTP_POST Binding
at com.onelogin.saml2.Auth.processResponse(Auth.java:689)
at com.onelogin.saml2.Auth.processResponse(Auth.java:699)
at org.sonar.auth.saml.SamlIdentityProvider.processResponse(SamlIdentityProvider.java:149)
… 48 common frames omitted

Hi Sylvian,

for testing purpose we moved from Pingfederate to Azure AD here also we are facing the below issue:-

You’re not authorized to access this page. Please contact the administrator.

Reason: The response was received at https://companyname.com:443/oauth2/callback/saml instead of https://companyname.com/oauth2/callback/saml

Hello Preetham
from your logs and inputs I would say that SonarQube is receiving GET requests on its SAML endpoint URL, requests it is not able to handle (as it only expects SAML responses from your IdP using POST)
Did you set your IdP login endpoint as SAML login URL parameter SonarQube side?

You may check for received requests in access.log file.

Best regards
Sylvain

Hi Sylvain,

could you please show me the saml login url format
I will be using the below format
https://companyname.com/oauth2/callback/saml

below is the access.log info:

[12/Aug/2020:07:33:19 -0500] “GET /api/users/identity_providers HTTP/1.1” 200 114 “https://companydomain.com/sessions/new?return_to=%2F” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36” “AXPhRrsNRxQ13c0ZAANx”

the documentation for SAML delegated authentication provides configuration parameters examples for keycloack, while this community guide provides the same for Okta.
You may extrapolate from them.

The access.log line you shared may not be the one for the refused request, can you make sure about it (by matching the time info)?

And of course, when you redact logs or parameters, please use something like ‘sonarqube.mycompany.com’ for SonarQube URLs, and like ‘idp.mycompany.com’ for IDP related addresses, otherwise it all gets a little confusing…

Best.
Sylvain

Hi Sylvain,

please find the setting below

I can’t tell exactly of course, but this seems ok.
Are you able to get SAML login prompt now?
Do you still have the same error page when you reach SonarQube UI?

Sylvain