Sonarqube SAML gave error: You're not authorized to access this page. Please contact the administrator

authentication
saml
(Allan Margono) #1

I am currently use sonaqube Version 6.7.6 (build 38781 and having a problem configuring the SAML.
I did follow the SAML plugin doc here, https://docs.sonarqube.org/display/PLUG/SAML+Authentication+Plugin
However I got an error when login:
You’re not authorized to access this page. Please contact the administrator.

I think it is related to the Assertion Point as per the above doc is:
"https://sonarqube.mycompany.com/oauth2/callback/saml"

Appreciate any help on this issue.

Thanks,
Allan

(Julien Lancelot) #2

Hi @amargono,

In order to investigate what is happening, could you please :

  • Activate the DEBUG log level
  • Try to authenticate again
  • Check logs generated in web.log

Regards,
Julien Lancelot

(Allan Margono) #3

Hello,
Here are an excerpt from the debug log.
Appreciate any pointers.

Thanks,

2019.03.27 14:01:25 INFO web[AWm8osMveq5f4nGiAAIN][o.s.s.p.ServerLogging] Level of logs changed to DEBUG

2019.03.27 14:01:25 DEBUG web[AWm8osMveq5f4nGiAAIO][s.n.w.p.h.HttpURLConnection] sun.net.www.MessageHeader@2eaf87bb5 pairs: {GET /systemInfo HTTP/1.1: null}{User-Agent: SonarQube 6.7.6.38781 # 7DF2B8FB-AWmDBDnIVQkoUBmfyRlz Java/1.8.0_201}{Host: 127.0.0.1:63229}{Accept: text/html, image/gif, image/jpeg, *; q=.2, /; q=.2}{Connection: keep-alive}

2019.03.27 14:01:25 DEBUG web[AWm8osMveq5f4nGiAAIO][s.n.w.p.h.HttpURLConnection] sun.net.www.MessageHeader@6f9103da5 pairs: {null: HTTP/1.1 200 OK}{Content-Type: application/x-protobuf}{Date: Wed, 27 Mar 2019 19:01:25 GMT}{Connection: keep-alive}{Content-Length: 7270}

2019.03.27 14:02:34 DEBUG web[AWm8osMveq5f4nGiAAIQ][auth.event] logout success [IP|140.167.162.110|199.176.18.85:19674][login|i859999]

2019.03.27 14:02:38 DEBUG web[AWm8osMveq5f4nGiAAIn][c.o.saml2.Auth] Settings validated

2019.03.27 14:02:38 DEBUG web[AWm8osMveq5f4nGiAAIn][c.o.s.a.AuthnRequest] AuthNRequest --> <samlp:AuthnRequest xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol” xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion” ID=“ONELOGIN_963367dd-9700-4ce9-a60c-29e874ee225f” Version=“2.0” IssueInstant=“2019-03-27T19:02:38Z” Destination=“https://accounts400.sap.com/saml2/idp/sso/accounts.sap.com” ProtocolBinding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” AssertionConsumerServiceURL=“https://mycompany.com/oauth2/callback/saml”><saml:Issuer>https://mycompany.com</saml:Issuer><samlp:NameIDPolicy Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” AllowCreate=“true” /></samlp:AuthnRequest>

2019.03.27 14:02:38 DEBUG web[AWm8osMveq5f4nGiAAIn][c.o.saml2.Auth] AuthNRequest sent to https://accounts400.sap.com/saml2/idp/sso/accounts.sap.com --> fZLLbsIwEEV/JfI+iQkUiBUiUegjEgUEtItuKuMMYNWxU4/Tx983hNLSBawszdzrucfjBHmhSjas3E4v4K0CdN5noTSypjEgldXMcJTINC8AmRNsOXyYsCigrLTGGWEUObFcdnBEsE4aTbxsPCCz6c1kdpdNX+Juu93t5bkf9yj1OwJin3ep8KMY+r0OQBRdbYj3BBZr74DUV9UXIFaQaXRcu7pEW7FP237UW7ViRiPW7j8Tb1zzSM1d49o5VyILQy6EqbTDDqUB8jIQpgj30aNQ5mWIaH4Vxzbx5j+o11LnUm8vU64PImT3q9Xcn8+WK+INj+Qjo7EqwC7BvksBj4vJXzKp3Qes91M3W9XkMrzeTBQKrtSai9cmJ0mT/cGaB7DpWXMSnsqSw6anddpsPDdKii/v1tiCu/MwraDVVGTubxopqzSWIORGQl4zKWU+Rha4gwFxtgLihelh6v8

(Colin Mueller) #4

Hey Allan,

What SAML provider are you using, and… shot in the dark here, are you trying to initiate the login from the Identity/SAML provider or from the SonarQube login screen?

I ask because your URL has “idp” in it, which means it’s the URL meant to be used when initating a login from the Identity Provider (rather than “sp”, or when it’s initiated from the Service Provider, in this case SonarQube).

Colin

(Allan Margono) #5

Hi Collin,
I used the Service Provider from SAP which is my parent company, even I used different domain for my Sonarqube installation.

Thanks,
Allan

(Allan Margono) #6

I came across the following link, SAML IDP Initiated Login.
And I did set the login URL like https://sonar.example.com/sessions/init/saml?return_to=%2F.
However I got an error:
The page you were looking for does not exist.