Unable to Configure Azure SSO with SonarQube (AWS Marketplace)

Hi there,

I have configured an enterprise app as described in:

However, I get this error when attempting to sign in with SAML is enabled (SSO) using a Microsoft Account. My test account is allowed to authenticate in the Enterprise App settings:

You're not authorized to access this page. Please contact the administrator.

Reason: The response was received at http://127.0.0.1:9000/oauth2/callback/saml instead of https://MyPublicDomainName/oauth2/callback/saml

SonarQube v 8.9.3.48735

I have reviewed this section of the guide (Operating the Server | SonarQube Docs). However, this is editing the

httpd.conf file directly:

ProxyRequests Off
ProxyPreserveHost On
<VirtualHost *:80>
  ServerName www.public_sonar.com
  ServerAdmin admin@somecompany.com
  ProxyPass / http://private_sonar_host:sonar_port/
  ProxyPassReverse / http://www.public_sonar.com/
  ErrorLog logs/somecompany/sonar/error.log
  CustomLog logs/somecompany/sonar/access.log common
</VirtualHost>

These VirtualHost sections are actually defined in the conf/extra/httpd-vhosts.conf file. Should this be correct config file. If so, what will be the path document root for the SonarQube web app? /opt/bitnami/apache/htdocs ?

I have also found the ProxyPassReverse property in these files:

/opt/bitnami/apache2/conf/vhosts/sonarqube-https-vhost.conf
/opt/bitnami/apache2/conf/vhosts/sonarqube-vhost.conf

Where should the ProxyPassReverse properties be defined? I have tried adding MyPublicDomainName to the sonarqube-https-vhost.conf & sonarqube-vhost.conf files and I still get the same error:

You're not authorized to access this page. Please contact the administrator.

Reason: The response was received at http://127.0.0.1:9000/oauth2/callback/saml instead of https://MyPublicDomainName/oauth2/callback/saml

I’ve also followed this guide to no avail:

https://docs.bitnami.com/general/apps/sonarqube/administration/use-single-domain/

Any ideas?

Much appreciated.

Hi,

I’m certainly no SAML expert, and this probably won’t solve the entire problem. But…

I’m struck by this:

Have you configured your Administration → (General ->) Server base URL? It looks like this is defaulting to localhost, which is what happens for a lot of stuff when Server base URL isn’t configured.

 
Ann

Hi Ann,

Yes, the Server base URL is configured, it has even populated the server variable in the error message with this name. For obvious security reasons, I will refer to it as “https://MyPublicDomainName/

It appears to use the Bitnami config files according to: Access an application using only a single domain with Apache

This is how the vhosts files look:

/opt/bitnami/apache2/conf/vhosts$ cat sonarqube-vhost.conf
<VirtualHost 127.0.0.1:80 _default_:80>
  ServerAlias *
  # BEGIN: Configuration for letsencrypt
  Include "/opt/bitnami/apps/letsencrypt/conf/httpd-prefix.conf"
  # END: Configuration for letsencrypt
  # BEGIN: Support domain renewal when using mod_proxy without Location
  <IfModule mod_proxy.c>
    ProxyPass /.well-known !
  </IfModule>
  # END: Support domain renewal when using mod_proxy without Location
  # BEGIN: Enable HTTP to HTTPS redirection
  RewriteEngine On
  RewriteCond %{HTTPS} !=on
  RewriteCond %{HTTP_HOST} !^localhost
  RewriteCond %{HTTP_HOST} !^[0-9]+.[0-9]+.[0-9]+.[0-9]+(:[0-9]+)?$
  RewriteCond %{REQUEST_URI} !^/\.well-known
  RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
  # END: Enable HTTP to HTTPS redirection
  ProxyPass / http://127.0.0.1:9000/
  ProxyPassReverse / http://127.0.0.1:9000/
  # BEGIN: Support domain renewal when using mod_proxy within Location
  <Location /.well-known>
    <IfModule mod_proxy.c>
      ProxyPass !
    </IfModule>
  </Location>
  # END: Support domain renewal when using mod_proxy within Location
</VirtualHost>

/opt/bitnami/apache2/conf/vhosts$ cat sonarqube-https-vhost.conf
<VirtualHost 127.0.0.1:443 _default_:443>
  ServerAlias *
  SSLEngine on
  SSLCertificateFile "/opt/bitnami/apache/conf/MyPublicDomainName.crt"
  SSLCertificateKeyFile "/opt/bitnami/apache/conf/MyPublicDomainName.key"
  # BEGIN: Configuration for letsencrypt
  Include "/opt/bitnami/apps/letsencrypt/conf/httpd-prefix.conf"
  # END: Configuration for letsencrypt
  # BEGIN: Support domain renewal when using mod_proxy without Location
  <IfModule mod_proxy.c>
    ProxyPass /.well-known !
  </IfModule>
  # END: Support domain renewal when using mod_proxy without Location
  ProxyPass / http://127.0.0.1:9000/
  ProxyPassReverse / http://127.0.0.1:9000/
  # BEGIN: Support domain renewal when using mod_proxy within Location
  <Location /.well-known>
    <IfModule mod_proxy.c>
      ProxyPass !
    </IfModule>
  </Location>
  # END: Support domain renewal when using mod_proxy within Location
</VirtualHost>

cat /opt/bitnami/apache2/conf/bitnami/bitnami.conf
# Default Virtual Host configuration.

# Let Apache know we're behind a SSL reverse proxy
SetEnvIf X-Forwarded-Proto https HTTPS=on

<VirtualHost _default_:80>
  DocumentRoot "/opt/bitnami/apache/htdocs"
  # BEGIN: Configuration for letsencrypt
  Include "/opt/bitnami/apps/letsencrypt/conf/httpd-prefix.conf"
  # END: Configuration for letsencrypt
  # BEGIN: Support domain renewal when using mod_proxy without Location
  <IfModule mod_proxy.c>
    ProxyPass /.well-known !
  </IfModule>
  # END: Support domain renewal when using mod_proxy without Location
  # BEGIN: Enable HTTP to HTTPS redirection
  RewriteEngine On
  RewriteCond %{HTTPS} !=on
  RewriteCond %{HTTP_HOST} !^localhost
  RewriteCond %{HTTP_HOST} !^[0-9]+.[0-9]+.[0-9]+.[0-9]+(:[0-9]+)?$
  RewriteCond %{REQUEST_URI} !^/\.well-known
  RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
  # END: Enable HTTP to HTTPS redirection
  <Directory "/opt/bitnami/apache/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
  </Directory>

  # Error Documents
  ErrorDocument 503 /503.html
  # BEGIN: Support domain renewal when using mod_proxy within Location
  <Location /.well-known>
    <IfModule mod_proxy.c>
      ProxyPass !
    </IfModule>
  </Location>
  # END: Support domain renewal when using mod_proxy within Location
</VirtualHost>

Include "/opt/bitnami/apache/conf/bitnami/bitnami-ssl.conf"

The SonarQube web app is otherwise functional using the public domain name (https://MyPublicDomainName/) , the error occurs after enabling the SAML (SSO setting in SonarQube) - it authenticates correctly with Azure AD.

Thanks
K