SSO on IIS + LDAP plugin

Hi there
I use next configuration:

  • SonarQube 7.7
  • LDAP plugin v.2.2.0.608
  • IIS 10.0 + URLRewrite (configured as Reverse proxy)
  • IIS and SonarQube are deployed on the same node, within AD domain. Domain users authentication and group membership is configured and working OK.

I want to enable SSO for this configuration. I updated sonar.properties in SSO section as it was described in the documentation:

#--------------------------------------------------------------------------------------------------
# SSO AUTHENTICATION
# Enable authentication using HTTP headers
sonar.web.sso.enable=true
sonar.web.sso.loginHeader=X-Forwarded-Login
sonar.web.sso.nameHeader=X-Forwarded-Name
#sonar.web.sso.emailHeader=X-Forwarded-Email
sonar.web.sso.groupsHeader=X-Forwarded-Groups
sonar.web.sso.refreshIntervalInMinutes=5

However I haven’t found any solution how to configure IIS to handle all these headers, required for SonarQube? (And I’m not really sure there’s any way to make this solution work.)

Can someone suggest the solution for IIS how to make a HTTP headers rewriting and forwarding them to SolarQube?

Hi @SirEjik,

I’m afraid we don’t have much in-house knowledge about IIS configuration. I guess the first step is making sure IIS actually has those values.

However, why are you using Web SSO with LDAP? Why not use the LDAP authentication directly? SonarQube can use LDAP to authenticate users, without the whole Web SSO setup.

Hi @Wouter_Admiraal
Thank you for your answer.

SonarQube can use LDAP to authenticate users, without the whole Web SSO setup.

Well, we use LDAP plugin to authenticate domain users, it works fine. But I need to configure a way to log in users to SQ, without entering username & pass every time we’re entering within our domain environment. And as far as I know, in a case of using LDAP plugin, such way is possible if using HTTP headers rewriting only, isn’t?

Aha, indeed.

Again, we don’t use IIS here, so I don’t know how we would configure this. Hopefully some other community member has done this before? I might be able to give some pointers, though.

In NginX or Apache, we would start by making sure the server has access to these values. In your case, how does the user authenticate the first time? Is it via a centralized login, or something like Kerberos/NTLM? How does IIS get this info?

For example, in the NginX world, if using Kerberos, you would need to add the spnego-auth module, and configure it to communicate with Kerberos. Once that is done, we will have access to new variables, which we can pass to a proxied host via custom HTTP Headers. Something like:

location / {
	proxy_pass           http://sonarqube:9000;
	proxy_set_header     X-Forwarded-Login $remote_user;
	auth_gss             on;
	auth_gss_keytab      /path/to/keytab/site.keytab;
	auth_gss_realm       REALM;
	auth_gss_force_realm on;
}

Thank you.

In your case, how does the user authenticate the first time?

Seems it’s a key quiestion. I’ve played with some auth. methods of IIS, and found out the SSO between IIS and Sonarqube is working as expected, and my issue lies in abilities to send creds into IIS in general.

Briefly (perhaps it might be useful for others) there are some auth. methods we can use in IIS:

  • Basic Authentication in IIS - SSO works: your creds is accepted by IIS and redirected to SonarQube. However you must enter your creds at first time at least, before you enter to SonarQube web interface. And no any way to use your Windows session’s creds. So that’s not solution, you can use it only to ensure that you’ve configured SonarQube right way.
  • Windows Authentication - it’s able to apply your current Windows sessions’ cred, but is unable redirect it through a reverse proxy. Thus, SSO can’t work here.
  • Digest Authentication - theoretically it should work. It can authenticate user with a similar way as well as Windows Authentication, however it can also redirect credentials information through the proxies. But to make it work, it requires a lot of changes in Active Directory. I haven’t tested that yet.

Whatever, thank you for answers, the puzzle has become a little clearer. :slight_smile: