I am working on testing a SQ migration from one domain to another, just to make sure everything works as expected before actual migration. So for the time being we require both instances to be running simultaneously
We have a current production instance of SQ enterprise v9.9.3.79811 running on SQL Server 2016. Our app tier is configured with SSO SAML using https. I’ve installed a second instance of SQ v9.9.8.100196 on new hardware/domain and started SQ http://localhost:9000, site comes up all working as expected. Last I configured SQ to run as a service using new domain svc acct.
I then created a SQL backup of our PROD db and restored it on a new SQL Server 2022 instance, stopped the SQ service then updated the sonar.jdbc.url connection string to point to the new SQL Server instance. Started the SQ service, starts with no errors in the sonar access or web logs.
When I navigate to http://localhost:9000 I’m only able to login with the default admin account, and not with any of the AD accounts configured in SAML.
Questions:
Does SQ require a website in IIS?
Can I test a db migration without a license key? At what point will I be required to request a test license?
Do I need to configure SSL before SAML? Will my two SQ environments require separate SAML accounts in Azure AD?
Please clarify how SQ licenses become invalidated as I don’t want that to happen in production with this migration testing.
Require? No. But if you’re planning to make your test SQ instance public outside of the VM it is running on, you’ll probably want to. You should mirror whatever you’re doing in Production.
A license is only required to process analysis reports that have been sent by a SonarScanner.
Some Identity Providers may require this, but this isn’t a SonarQube requirement. What error do you get when you try to login with SAML?
“Require? No. But if you’re planning to make your test SQ instance public outside of the VM it is running on, you’ll probably want to. You should mirror whatever you’re doing in Production.”
We had been using SQ community edition previously and we didn’t have a website in IIS. We could access the site with “servername:9000” from outside the vm in our domain.
“Some Identity Providers may require this, but this isn’t a SonarQube requirement. What error do you get when you try to login with SAML?”
SAML requires an app id which is unique and tied to the configured Sonar URL app of our PROD env, don’t we have to update the public URL for new environment and create a new SAML account in Azure AD if we want to have both instances up? They can’t use the same app id/url, unless you know something I don’t.
I have yet to setup https in new env, which is tied to the url for SAML auth. I am seeing “unauthorized” errors when trying to access through SAML, I will try again after configuring https. Our PROD env is using a reverse proxy.
What’s not clear is the statement below, I’ve already restored prod backup on non-licensed SQ instance, and generated a new server id to get new license key.
“Restoring the database content from another SonarQube instance (except for production/staging synchronization).”
Great. In that case, I’m not sure why you’re asking if IIS is required.
Sorry, I should have been clearer. No, SSL is not required by SonarQube for SAML. Yes, if you are going to log in via SAML to a second SonarQube server, you’ll need a second SAML application (pointing to the correct ACS URL, etc.) configured in Azure AD.
When you set up a staging instance for the first time (and sync the data from prod), you receive a new Server ID. On future synchronization, you will not.
Appreciate your responses, just a quick follow-up.
“Great. In that case, I’m not sure why you’re asking if IIS is required.”
I wasn’t sure if there was a difference between community and enterprise in terms of IIS configuration needs, but you’ve clarified this point.
“Sorry, I should have been clearer. No, SSL is not required by SonarQube for SAML. Yes, if you are going to log in via SAML to a second SonarQube server, you’ll need a second SAML application (pointing to the correct ACS URL, etc.) configured in Azure AD.”
This might be a dumb question, but does SAML auth require a DNS entry for the app first, or can SAML auth be tested through localhost?
“When you set up a staging instance for the first time (and sync the data from prod), you receive a new Server ID. On future synchronization, you will not.”
Just to confirm, doing it this way will not invalidate the keys in both the staging and production.
I’ve requested staging license and applied it, but seeing forbidden 403 errors on home/Admin page. I was seeing them before though I thought they would go away after I applied a valid license, but they remain.
I posted my issue here as I wasn’t sure if it is license related, or something else. Any ideas?
In order for SQ to work in IIS10 you must disable Dynamic Restriction Settings which come enabled by default under the IP Address and Domain Restrictions feature. Hope this helps someone, this took forever to find.