SonarQube SAML error - Error loading privatekey from properties

Hello! I am inheriting a project someone else setup. This is Sonarqube community edition, installed on linux . In the past a handful of users were using local credentials but they really want to use SSO integration to Okta.

I setup the reverse proxy, got a good certificate from lets encrypt, followed the SAML setup document. We got as far as Okta showing success however when attemping SSO login, Sonarqube states “You’re not authorized to access this page. Please contact the administrator.” I assumed it was a permission issue, but after every combination I can think of, it still did not work. So… I followed the debug log steps to track the web.log file and this is what I’m receiving.

2024.04.03 21:04:54 ERROR web[AYotpSHrOgRLNt25APqx][o.s.a.s.SamlAuthenticator] Error in parsing service provider private key, please make sure that it is in PKCS 8 format.
2024.04.03 21:04:54 DEBUG web[AYotpSHrOgRLNt25APqx][c.o.saml2.Auth] Settings validated
2024.04.03 21:04:54 DEBUG web[AYotpSHrOgRLNt25APqx][c.o.s.a.AuthnRequest] AuthNRequest --> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_412734b1-908a-43a0-a1ee-a6941533519d" Version="2.0" IssueInstant="2024-04-03T21:04:54Z" Destination="" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL=""><saml:Issuer>SonarQube</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest>
2024.04.03 21:04:54 DEBUG web[AYotpSHrOgRLNt25APqx][c.o.saml2.Auth] AuthNRequest sent to --> fZJbj9owEIX/SuT3xHESdsECJLr0QkWBLrQPfUGDGYpLYmc9zu7239dJupc+dCVLlo7n2N+Z8ZigKms5a/zZ3OJdg+Sjx6o0JLuDCWuckRZIkzRQIUmv5Hb2ZSmzJJW1s94qW7JXlrcdQITOa2tYtJhP2Hr1frn+uFjtC5Fd58VBxKN0CHGRQxqDQIzhalSIQZ4PxOjIou/oKHgnLFwVLiBqcGHIg/FBSrMiTsPKd5mQaSEHxQ8WzUMebcB3rrP3NUnOlTX+pI2yib14SJStONT1i7wna8DdNQfcC46Pl2GV4vDXOc8+Z+rycDW65kSWt2FZtPnbgnfaHLX5+Xb6Q19E8tNut4k36+2ORbOnjtxYQ02FbovuXiv8drvsiVvgk4qfmZIX/JbcQhhdxhWU5QHUpceajttNdh1y021r/RqsY/5aHvejXwXMxXxjS61+Rx+sq8D/P4VIRKfoY3zqSmVjqEalTxrDgGZlaR9uHILHCfOuQRbxaf/qv39s+gc=
2024.04.03 21:04:55 ERROR web[AYotpSHrOgRLNt25APqy][c.o.s.s.SettingsBuilder] Error loading privatekey from properties. IOException : DerInputStream.getLength(): lengthTag=111, too big.
	at java.base/
	at java.base/
2024.04.03 21:04:55 ERROR web[AYotpSHrOgRLNt25APqy][o.s.a.s.SamlAuthenticator] Error in parsing service provider private key, please make sure that it is in PKCS 8 format.
2024.04.03 21:04:55 DEBUG web[AYotpSHrOgRLNt25APqy][c.o.saml2.Auth] Settings validated
2024.04.03 21:04:55 WARN  web[AYotpSHrOgRLNt25APqy][o.s.s.a.AuthenticationError] Fail to callback authentication with 'saml'
java.lang.IllegalStateException: Failed to process the authentication response

Please let me know where to go from here, according to Okta its handing off and happy, but sonarqube is not. I dont understand why its asking the key to be in pkcs8. Okta provides a x509 certificate but nothing extra. When googling I did not see anything about changing the x509 to pkcs8.

Hey there.

If I understand correctly, SonarQube requires a PKCS8 for assertion encryption support.

As documented, SonarQube + Okta doesn’t support signing requests.

Can you make sure, if you’re using Okta, that you have Sign requests turned off in your SAML config and no values for Service provider private key and Service provider certificate?

Can confirm here the fields are blank

Gee, that’s weird.

If you look at http:/<SONARQUBE_URL>/api/settings/values (while logged in as your user), do you see sonar.auth.saml.sp.privateKey.secured set anywhere? That would imply a value has been set.

It does show that exact string.

Can you try deleting your configuration and reconfiguring it, making sure not to touch the three properties I mentioned?

Please excuse my ignorance but is there a specific method for deleting the configuration other than blanking out all the options and hitting save?

In SonarQube v10.4, yes! But in SonarQube v9.9 LTS, no. Sorry, I forgot!

Perhaps you can try using the API, like this:

curl -X POST -u username:password '<SONARQUBE_URL>/api/settings/reset?keys=sonar.auth.saml.sp.privateKey.secured'

You can also use a token

curl -X POST -u THIS_IS_MY_TOKEN:'<SONARQUBE_URL>/api/settings/reset?keys=sonar.auth.saml.sp.privateKey.secured'

Late reply but im a little unsure where i’m making this change. directly on the installed box or through the user interface?

I’m suggesting you reset the setting using the Web API (curl, via your terminal), rather than using the UI. Whether this is done on the server itself or on your local machine is up to you.

OKAY! Progress…I was doing step 3 marked as optional which was why It was expecting a key. I set Assertion Encryption to unencrypted now.

Now when I do a test, I am receiving

  • The response was received at http:/%URL%/oauth2/callback/saml instead of https://%URL%/oauth2/callback/saml

Looks like I have an issue with the reverse proxy?

web.log says Caused by: com.onelogin.saml2.exception.Error: SAML Response not found, Only supported HTTP_POST Binding

What reverse proxy are you using?


ubuntu@ip-xx-xx-xx-xx:/etc/nginx/conf.d$ cat sonar.conf
server {
    server_name <name>;
    access_log /var/log/nginx/sonar.access.log;
    error_log /var/log/nginx/sonar.error.log;
    proxy_buffers 16 64k;
    proxy_buffer_size 128k;

    location / {
        proxy_pass http://xx.xx.xx.xx:9000;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto http;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/<name>/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live<name>/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


server {
    if ($host = <name>) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name <name>;
    return 404; # managed by Certbot

This should be set to https

1 Like

That did it!!! Thank you so much for your help. Our dev team is so excited to start using this.

1 Like

Follow up question on this thread. If one did want to use assertion encryption for an additional layer of security, how might one generate or acquire the key and cert? I can generate a key and cert pair in pkcs8 format but Okta won’t accept it. Also, my understanding is that AES256-GCM is symetric so shouldn’t that mean they use a shared key? Any advice would be welcome. I’ve not found a workable answer so far.

Thank you!