SonarQube API Authentication Failure when SAML Enabled

  • SonarQube Community Edition 7.9.1
  • SAML Authentication enabled

When calling the APIs requiring authentication, it still returns a 401 failure. I have tried to use both admin:admin as well as issuing a user token for admin and sending :

When I try the /authentication/validate method - it returns false.
Logs show an issue with JWT and CSFR
2019.09.04 19:53:46 DEBUG web[AWz9tweGt3amXgFsAAFZ][auth.event] login failure [cause|Wrong CSFR in request][method|JWT][provider|LOCAL|local][IP||][login|admin]

Can I not use the APIs when SAML is enabled?

Hi @redhatva,

When you perform a cURL request, you can only pass a local user account, not a SAML account. You mention admin:admin; you are sure this is the correct username and password? It should work. For instance, this works with a brand new SQ instance:

curl -u USERNAME:PASSWORD http://localhost:9000/api/favorites/search

But, again, if you try this with a SAML user, it won’t work. How exactly do you perform this request?

You can use user tokens for this. We have AD Service Accounts used for API integration. We pass in a token created for the user account rather than the strict user:password pair. This seems to work for us.

Are you on 7.9?

7.7. We’re testing 7.9.

I should note we have 2 URLs for Sonarqube: Sonarqube and SonarqubeDirect. The former is SSO, the latter is unprotected. Duh. I should have stated that up front. If you go to a protected URL you have to have credentials in session. If you’re not working in a browser you don’t have that. It’s difficult at best to contact any SSO URL via scripting. You need a secondary access point that is unprotected.

Do you run that on the same server or is it really a second instance? This seems backwards to need a second instance just because of SSO

Two F5 load balancer entries. The first is SAML protected, the second is not. The first only works for Web UI users. The second requires authentication via a Sonarqube token. Both point to the Sonarqube server:port.