Hello! I am inheriting a project someone else setup. This is Sonarqube community edition 9.9.1.69595, installed on linux . In the past a handful of users were using local credentials but they really want to use SSO integration to Okta.
I setup the reverse proxy, got a good certificate from lets encrypt, followed the SAML setup document. We got as far as Okta showing success however when attemping SSO login, Sonarqube states “You’re not authorized to access this page. Please contact the administrator.” I assumed it was a permission issue, but after every combination I can think of, it still did not work. So… I followed the debug log steps to track the web.log file and this is what I’m receiving.
2024.04.03 21:04:54 ERROR web[AYotpSHrOgRLNt25APqx][o.s.a.s.SamlAuthenticator] Error in parsing service provider private key, please make sure that it is in PKCS 8 format.
2024.04.03 21:04:54 DEBUG web[AYotpSHrOgRLNt25APqx][c.o.saml2.Auth] Settings validated
2024.04.03 21:04:54 DEBUG web[AYotpSHrOgRLNt25APqx][c.o.s.a.AuthnRequest] AuthNRequest --> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_412734b1-908a-43a0-a1ee-a6941533519d" Version="2.0" IssueInstant="2024-04-03T21:04:54Z" Destination="https://contfinco.okta.com/app/contfinco_sonarqube_1/exk8m0e8jh32J2ckw697/sso/saml" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://cfc-sonarqube.contfinco.com/oauth2/callback/saml"><saml:Issuer>SonarQube</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest>
2024.04.03 21:04:54 DEBUG web[AYotpSHrOgRLNt25APqx][c.o.saml2.Auth] AuthNRequest sent to https://contfinco.okta.com/app/contfinco_sonarqube_1/exk8m0e8jh32J2ckw697/sso/saml --> fZJbj9owEIX/SuT3xHESdsECJLr0QkWBLrQPfUGDGYpLYmc9zu7239dJupc+dCVLlo7n2N+Z8ZigKms5a/zZ3OJdg+Sjx6o0JLuDCWuckRZIkzRQIUmv5Hb2ZSmzJJW1s94qW7JXlrcdQITOa2tYtJhP2Hr1frn+uFjtC5Fd58VBxKN0CHGRQxqDQIzhalSIQZ4PxOjIou/oKHgnLFwVLiBqcGHIg/FBSrMiTsPKd5mQaSEHxQ8WzUMebcB3rrP3NUnOlTX+pI2yib14SJStONT1i7wna8DdNQfcC46Pl2GV4vDXOc8+Z+rycDW65kSWt2FZtPnbgnfaHLX5+Xb6Q19E8tNut4k36+2ORbOnjtxYQ02FbovuXiv8drvsiVvgk4qfmZIX/JbcQhhdxhWU5QHUpceajttNdh1y021r/RqsY/5aHvejXwXMxXxjS61+Rx+sq8D/P4VIRKfoY3zqSmVjqEalTxrDgGZlaR9uHILHCfOuQRbxaf/qv39s+gc=
2024.04.03 21:04:55 ERROR web[AYotpSHrOgRLNt25APqy][c.o.s.s.SettingsBuilder] Error loading privatekey from properties.
java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : DerInputStream.getLength(): lengthTag=111, too big.
at java.base/sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:253)
at java.base/java.security.KeyFactory.generatePrivate(KeyFactory.java:389)
2024.04.03 21:04:55 ERROR web[AYotpSHrOgRLNt25APqy][o.s.a.s.SamlAuthenticator] Error in parsing service provider private key, please make sure that it is in PKCS 8 format.
2024.04.03 21:04:55 DEBUG web[AYotpSHrOgRLNt25APqy][c.o.saml2.Auth] Settings validated
2024.04.03 21:04:55 WARN web[AYotpSHrOgRLNt25APqy][o.s.s.a.AuthenticationError] Fail to callback authentication with 'saml'
java.lang.IllegalStateException: Failed to process the authentication response
Please let me know where to go from here, according to Okta its handing off and happy, but sonarqube is not. I dont understand why its asking the key to be in pkcs8. Okta provides a x509 certificate but nothing extra. When googling I did not see anything about changing the x509 to pkcs8.
Can you make sure, if you’re using Okta, that you have Sign requests turned off in your SAML config and no values for Service provider private key and Service provider certificate?
If you look at http:/<SONARQUBE_URL>/api/settings/values (while logged in as your user), do you see sonar.auth.saml.sp.privateKey.secured set anywhere? That would imply a value has been set.
I’m suggesting you reset the setting using the Web API (curl, via your terminal), rather than using the UI. Whether this is done on the server itself or on your local machine is up to you.
Follow up question on this thread. If one did want to use assertion encryption for an additional layer of security, how might one generate or acquire the key and cert? I can generate a key and cert pair in pkcs8 format but Okta won’t accept it. Also, my understanding is that AES256-GCM is symetric so shouldn’t that mean they use a shared key? Any advice would be welcome. I’ve not found a workable answer so far.