SonarQube SAML authentication with Ping Federation not working

  • which versions are you using (SonarQube Server / Community Build, Scanner, Plugin, and any relevant extension) : Sonar Qube Version: v9.9.5 (build 90363)
  • how is SonarQube deployed: zip, Docker, Helm: : We use SonarQube Developer Edition, hosted on Windows
  • what are you trying to achieve: SAML integration
  • what have you tried so far to achieve this: SAML
    Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!
    sonarqube_web (9).log (1.1 MB)
    Issue: SAML authentication with Ping Federation not working
    Error:
    2024.12.04 02:02:23 WARN web[AZM5KzJGdnaEq7fNAQIr][o.s.s.a.AuthenticationError] Fail to initialize authentication with provider ‘saml’
    java.nio.file.InvalidPathException: Illegal char <?> at index 14: /idp/SSO.saml2?SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&SAMLRequest=fZJNTwIxEIb%2Fyqb37icEbBYSBBUSBGTRgxfT7Q7Q2G2XTtePf%2B%
    SAML Login URL: https://<>/idp/ACS.saml2
    Please let me know what other details required, will share it. Can you please help us with this issue.

Hi,

Welcome to the community!

The 14th character is the ? You should review your configuration.

 
HTH,
Ann

When trying to use the IP address instead of host name at least it is reaching SSO, but giving unauthorized error.
But when I use the Host name it is not even reaching the SSO ping Federation.
I have configured the Sonar base URL in the General settings.

Normal Sonar authentication working fine with Hostname.

2024.12.06 06:03:05 DEBUG web[o.a.h.i.n.c.InternalIODispatch] http-outgoing-0 [ACTIVE] [content length: 5077; pos: 5077; completed: true]
2024.12.06 06:03:07 DEBUG web[AZOb2UdTK2ayghjqAAAq][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|0:0:0:0:0:0:0:1|10.41.146.49:63201][login|]
2024.12.06 06:03:08 DEBUG web[AZOb2UdTK2ayghjqAAAs][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|0:0:0:0:0:0:0:1|10.41.146.49:63201][login|]
2024.12.06 06:03:08 DEBUG web[AZOb2UdTK2ayghjqAAAr][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|0:0:0:0:0:0:0:1|10.41.146.49:63201][login|]
2024.12.06 06:03:08 DEBUG web[AZOb2UdTK2ayghjqAAAu][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|0:0:0:0:0:0:0:1|10.41.146.49:63201][login|]

Hi,

This sounds like DNS.

Would you care to share that error?

I don’t understand what this means.

 
Ann

I have disabled the Reverse rewrite host in response headers in IIS and SSO working now. But from pipeline side getting below error when using service connection created with the DNS name. If we are using the service connection created with the IP address, then pipeline working fine.

Do we need to install any cert on the Azure Build agent also?

##[warning]Error while executing SonarQube:Prepare task: [SQ] API GET ‘/api/server/version’ failed, error is request to https://rhs-sq.alight.com/api/server/version failed, reason: unable to get local issuer certificate
2024-12-09T13:02:05.9241004Z ##[error][SQ] API GET ‘/api/server/version’ failed, error is request to https://rhs-sq.alight.com/api/server/version failed, reason: unable to get local issuer certificate
2024-12-09T13:02:05.9375479Z ##[section]Finishing: Prepare Code Analysis

Hi,

I’m glad you’ve worked through your SSO problems.

This is a new problem and deserves a new thread if you can’t resolve it from the docs.

 
Ann

Sure @ganncamp
I have issue with access when logging in using Ping Federation.
I have created groups in the Sonar Qube site manually.
memberships should automatically be updated at each user login.
But user is only added to the sonar-users default group.
In SAML configuration for the group attribute we have mapped memberOf field and we are group details for that attribute. But user is not getting that role access.
Please let me know what all details required will share it.