SQ redirects to http instead of https after login with SAML/ADFS behind NGINX reverse proxy

saas2813 · March 25, 2022, 12:06pm

Running SonarQube v.8.9.1 LTS
RHEL 8.5.
nginx v.1.14.1

We are trying to configure SSO with ADFS/SAML.
SonarQube is currently running with local Auth after configuring the proxy-settings for NGINX as described here:

We have got the Auth working with our ADFS but the redirect returned points to HTTP instead of HTTPS.
After login we get a timeout since the http-request is blocked by a firewall, but manually opening a https url to sonarqube shows that the login succeded.
(I had the same problem with the internal auth before setting the proxy-headers.)
All topics I have found here ends up at either changing somthing in AWS or setting a 302 redirect from http to https in the proxy. Neither works for me.
The last post in this thread refers to some configuration in the bundled Catalina/Tomcat server:

This SO question seems to indicate that I need to tell Catalina that my Proxy actually is a trusted proxy:

Could anyone help me find how to make SAML Auth redirect to return https?
Or possibly give me pointers on how to reconfigure catalina ?
(I can not find any server.xml in the sonar-application-xxx.jar )

ganncamp · March 28, 2022, 5:38pm

Hi,

Is IIS in the mix? If so, this guide may be helpful:

Ann

saas2813 · March 29, 2022, 7:09am

Hi,

No we are not using IIS we use NGINX on Linux.
We are running SonarQube locally on a manually administrated RedHat server.
The part of Authentication mentioned in the IIS link bove seems to be about connecting SonarQube to the SAML-auth this actually works for us. It is the final redirect telling the client that Auth is done and to open the SonarQube page that points wrongw. Internal authentication responds with a correct redirect so the Proxy config should be working.

The actuall response header when completing the login with SAML ADFS says:
location: http://sonarqube…
While the same response for internal auth says
location: https://sonarqube…

ganncamp · March 29, 2022, 4:53pm

Hi,

That guide I linked to does cover that point and might be useful even if you’re not using IIS. Can you double-check the headers it mentions?

Ann

saas2813 · April 1, 2022, 8:36am

Hi, We have added the headers sugested in the article above.
It did not help.

CalebC · September 20, 2022, 7:17pm

We are facing the same issue (redirection to non-secure URL after SSO login using Github to authenticate). We have verified that the settings of the sonar base URL and callback URLs in the Github app refer to the secure URL.

Has there been any progress on this issue (either through investigation or fix)?

Necip · November 5, 2022, 9:43am

Hi,
Sonar documantation (Operating the Server | SonarQube Docs) for nginx is made me crazy for troubleshooting SAML for Google Workspace takes my 1-1.5 days, than the tric is

proxy_set_header X-Forwarded-Proto $scheme;

Not https nor http etc.

saas2813 · December 6, 2022, 4:53pm

It turned out that we needed to add a line

proxy_redirect https://sonarqube-url http://sonarqube-url ;

In our NGINX reverse proxy definition.

system · December 13, 2022, 4:54pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.