I have configured an enterprise app as described in:
However, I get this error when attempting to sign in with SAML is enabled (SSO) using a Microsoft Account. My test account is allowed to authenticate in the Enterprise App settings:
You're not authorized to access this page. Please contact the administrator.
Reason: The response was received at http://127.0.0.1:9000/oauth2/callback/saml instead of https://MyPublicDomainName/oauth2/callback/saml
ProxyRequests Off
ProxyPreserveHost On
<VirtualHost *:80>
ServerName www.public_sonar.com
ServerAdmin admin@somecompany.com
ProxyPass / http://private_sonar_host:sonar_port/
ProxyPassReverse / http://www.public_sonar.com/
ErrorLog logs/somecompany/sonar/error.log
CustomLog logs/somecompany/sonar/access.log common
</VirtualHost>
These VirtualHost sections are actually defined in the conf/extra/httpd-vhosts.conf file. Should this be correct config file. If so, what will be the path document root for the SonarQube web app? /opt/bitnami/apache/htdocs ?
I have also found the ProxyPassReverse property in these files:
Where should the ProxyPassReverse properties be defined? I have tried adding MyPublicDomainName to the sonarqube-https-vhost.conf & sonarqube-vhost.conf files and I still get the same error:
You're not authorized to access this page. Please contact the administrator.
Reason: The response was received at http://127.0.0.1:9000/oauth2/callback/saml instead of https://MyPublicDomainName/oauth2/callback/saml
I’m certainly no SAML expert, and this probably won’t solve the entire problem. But…
I’m struck by this:
Have you configured your Administration → (General ->) Server base URL? It looks like this is defaulting to localhost, which is what happens for a lot of stuff when Server base URL isn’t configured.
Yes, the Server base URL is configured, it has even populated the server variable in the error message with this name. For obvious security reasons, I will refer to it as “https://MyPublicDomainName/”
/opt/bitnami/apache2/conf/vhosts$ cat sonarqube-vhost.conf
<VirtualHost 127.0.0.1:80 _default_:80>
ServerAlias *
# BEGIN: Configuration for letsencrypt
Include "/opt/bitnami/apps/letsencrypt/conf/httpd-prefix.conf"
# END: Configuration for letsencrypt
# BEGIN: Support domain renewal when using mod_proxy without Location
<IfModule mod_proxy.c>
ProxyPass /.well-known !
</IfModule>
# END: Support domain renewal when using mod_proxy without Location
# BEGIN: Enable HTTP to HTTPS redirection
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} !^localhost
RewriteCond %{HTTP_HOST} !^[0-9]+.[0-9]+.[0-9]+.[0-9]+(:[0-9]+)?$
RewriteCond %{REQUEST_URI} !^/\.well-known
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
# END: Enable HTTP to HTTPS redirection
ProxyPass / http://127.0.0.1:9000/
ProxyPassReverse / http://127.0.0.1:9000/
# BEGIN: Support domain renewal when using mod_proxy within Location
<Location /.well-known>
<IfModule mod_proxy.c>
ProxyPass !
</IfModule>
</Location>
# END: Support domain renewal when using mod_proxy within Location
</VirtualHost>
/opt/bitnami/apache2/conf/vhosts$ cat sonarqube-https-vhost.conf
<VirtualHost 127.0.0.1:443 _default_:443>
ServerAlias *
SSLEngine on
SSLCertificateFile "/opt/bitnami/apache/conf/MyPublicDomainName.crt"
SSLCertificateKeyFile "/opt/bitnami/apache/conf/MyPublicDomainName.key"
# BEGIN: Configuration for letsencrypt
Include "/opt/bitnami/apps/letsencrypt/conf/httpd-prefix.conf"
# END: Configuration for letsencrypt
# BEGIN: Support domain renewal when using mod_proxy without Location
<IfModule mod_proxy.c>
ProxyPass /.well-known !
</IfModule>
# END: Support domain renewal when using mod_proxy without Location
ProxyPass / http://127.0.0.1:9000/
ProxyPassReverse / http://127.0.0.1:9000/
# BEGIN: Support domain renewal when using mod_proxy within Location
<Location /.well-known>
<IfModule mod_proxy.c>
ProxyPass !
</IfModule>
</Location>
# END: Support domain renewal when using mod_proxy within Location
</VirtualHost>
cat /opt/bitnami/apache2/conf/bitnami/bitnami.conf
# Default Virtual Host configuration.
# Let Apache know we're behind a SSL reverse proxy
SetEnvIf X-Forwarded-Proto https HTTPS=on
<VirtualHost _default_:80>
DocumentRoot "/opt/bitnami/apache/htdocs"
# BEGIN: Configuration for letsencrypt
Include "/opt/bitnami/apps/letsencrypt/conf/httpd-prefix.conf"
# END: Configuration for letsencrypt
# BEGIN: Support domain renewal when using mod_proxy without Location
<IfModule mod_proxy.c>
ProxyPass /.well-known !
</IfModule>
# END: Support domain renewal when using mod_proxy without Location
# BEGIN: Enable HTTP to HTTPS redirection
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} !^localhost
RewriteCond %{HTTP_HOST} !^[0-9]+.[0-9]+.[0-9]+.[0-9]+(:[0-9]+)?$
RewriteCond %{REQUEST_URI} !^/\.well-known
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
# END: Enable HTTP to HTTPS redirection
<Directory "/opt/bitnami/apache/htdocs">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
# Error Documents
ErrorDocument 503 /503.html
# BEGIN: Support domain renewal when using mod_proxy within Location
<Location /.well-known>
<IfModule mod_proxy.c>
ProxyPass !
</IfModule>
</Location>
# END: Support domain renewal when using mod_proxy within Location
</VirtualHost>
Include "/opt/bitnami/apache/conf/bitnami/bitnami-ssl.conf"
The SonarQube web app is otherwise functional using the public domain name (https://MyPublicDomainName/) , the error occurs after enabling the SAML (SSO setting in SonarQube) - it authenticates correctly with Azure AD.