Unable to login using SAML (CSRF state value is invalid)

SonarQube Server / Community Build
1

Hi,

I’m doing a test where I’m switching Sonar from LDAP to SAML, however SAML authentication is not working and it’s driving me crazy :slight_smile:

The error i’m getting is: DEBUG web[AZHW/vlus4sveQHZAADF][auth.event] login failure [cause|CSRF state value is invalid][method|OAUTH2][provider|EXTERNAL|SSO_test][IP|10.175.5.55|][login|]

In web.log I can see Sonar receiving and parsing the response from the provider (it even says “SAMLResponse validated”) and I can see correctly populated attributes.

Relevant details:

  • Sonar version: 9.9.4
  • At first I was using Nginx as a reverse proxy; after removing it (and re-configuring the provider) the end results was the same…
  • all SAML values match (Sonar vs provider)
  • callback url is set to http://100.76.202.140:9898/sandbox/oauth2/callback/saml
  • i’ve used the same provider succesfully for Jenkins and Artifactory instances

Any tips on how to debug this?

Thanks,
Mihai

2

Hey there.

Sometimes the “true” error lies right before CSRF state value is invalid, and can be found in the logs (specifically web.log).

That happened in this thread (the real issues was idp_cert_or_fingerprint_not_found_and_required)

Do you see anything else int he logs?

3

Thanks, @Colin.

After numerous attempts, something strange happened — just once, and only once, the error changed to Cookie ‘OAUTHSTATE’ is missing — now that was an error I recognized. :blush:

After tweaking the identity provider to enable service-initiated SSO, I was finally able to log in successfully!

What was odd, though, was that 99% of the time, I kept encountering the same ambiguous “CSRF state value is invalid” error. I was lucky that, in the end, the real issue revealed itself!

Thanks!
Mihai

4

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.