Unauthorized error from SonarQube while login using SSO

Need help urgently…
I have Sonarqube 7.9.2,
DB- PostgresSQL 6.9.11
Frontend server- apache httpd.

I have upgraded my Sonarqube from 7.9.2 to 7.9.4 LTS and update the DB user name and password and location like below in properties file:


After all this setting, sonarqube and httpd service is up but getting unauthorized error at the time of login inside Sonarqube dashboard.
When I comment out “sonar.jdbc.url”, I’m able to login with default id and password. Although after enable jdbc url again same issue.

Can you please help me.

Hello @Rahul_Das,

I highly suspect that your problem is not linked at all to your JDBC URL (By the way I suppose that your run Postgres 9.6 and not 6.9…)
Since you also mention SSO, I suspect this is due to your SAML SSO. Can you confirm that you use SAML ?


Hey @OlivierK ,
Sorry for typo. Yes it is 9.6 and I am using SAML.


That is what I suspected. Between 7.9.2 and 7.9.4 we implemented a change in our SAML integration, after a vulnerability was reported to us.
The general idea of the change is that SonarQube is validating much more the SAML responses from the SAML server. See https://jira.sonarsource.com/browse/SONAR-13328

Fixing the vulnebaribility was definitely necessary, but not always helping customers with quite “relaxed” integration. There are now many things validated in responses, and therefore many possibilities for it to not work. You can find several different SAML difficulties faced by users after upgrading to 7.9.4 or 8.4, in general with their solutions.
I suggest that you have a look at these, and if you believe that your problem is different, or you cannot fix it somehow, you get back to me and you attach a zip of your <SONARQUBE_HOME>/logs directory for investigation on my side.


Hi @OlivierK,
I will check with SAML team what settings (such as application ID, certificates etc. ) they have done from their side. I will keep you posted.

Hi @OlivierK,
Initially I was facing error like http://sonarurl:port/oauth2/callback/saml instead of https://sonarurl:port/oauth2/callback/saml , But I fixed that adding
RequestHeader set X-Forwarded-Proto https in apache (acts as proxy server) config.
After that I was facing issue sonarqube is not valid audience for this response. Here sonarqube is SAML application ID from previous version. Then I checked the web.log (sonarqube) and found SAML response in XML format. Then I searched what is mention in SAML audience
*** <saml:AudienceRestriction><saml:Audience>https://sonarqurl:port</saml:Audience></saml:AudienceRestriction> ***
and I put the same thing in SAML settings in SQ dashboard security settings. Then after restarted the service , its seems like working.
I will check with my other team mates whether they face any issue or not. I will confirm you by next week.
My understanding from this issue as of now that in previous version, SAML Application ID was not mandatory field whereas in newer version like 7.9.4 or 8.4, its a mandatory along with HTTPS header.

Well done ! :+1:

Great ! :grinning:


The issue has resolved. Everyone is able to login using Okta. Thanks @OlivierK for your support. I really appreciate your help.