Upgrade SonarQube on Windows NT from 7.9.6 LTS to 8.9.8 LTS using PingFederate as SAML provider fail

MKM · July 21, 2022, 12:05am

Hello,

We are using SonarQube 7.9.6 with SAML using PingFederate and on a on Prem Windows NT Server, No Load Balancer, IIS and MS SQL database. This works fine in 7.9.6.
When we upgraded to 8.9.8 We get the following error

You’re not authorized to access this page. Please contact the administrator.

Reason: A valid SubjectConfirmation was not found on this Response: SubjectConfirmationData doesn’t match a valid Recipient

We have confirmed the SubjectConfirmationData looks good and the reverse proxy setting in the IIS server is also good.
We have tried this setting

Please help
Murali

ganncamp · July 21, 2022, 3:16pm

Hi Murali,

Welcome to the community!

Unfortunately, we are not SAML experts. What I can tell you is that the guide you referenced relates to mismatching URLs & my searches seem to tie the error message you’re getting to… mismatching URLs.

So I can only urge you to take another look to see that everything matches up like it should.

I know this isn’t terribly helpful.

Ann

MKM · July 21, 2022, 3:54pm

Thanks Ann,

So starting 8.x there are no 3rd party SAML plug-ins in the marketplace available - correct?

We did try one from miniOrange but that has different set of issues, like creating users with 5 digit number suffix.

M K Muralidhar

ganncamp · July 21, 2022, 4:01pm

Hi,

Starting with 8.x there are no SonarSource plugins in the Marketplace; all our functionality is bundled now. I do still see an AAD auth plugin still in there, although it’s not clear to me that it’s still actively maintained.

Ann

MKM · July 22, 2022, 11:43am

Hello Ann,
Thank you for your response. I tried all the suggestions in the documentation but no luck.
The POST response has the following XML block

   <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <saml:SubjectConfirmationData Recipient="https://sonarqube.coname.com/oauth2/callback/saml" NotOnOrAfter="2022-07-16T19:09:16.738Z" InResponseTo="ONELOGIN_e9bf1838-8ebf-43e0-b10f-29f07e00948f"></saml:SubjectConfirmationData>
   </saml:SubjectConfirmation>

where the recipient matches the GET

AssertionConsumerServiceURL="https://sonarqube.coname.com/oauth2/callback/saml">

so the error
Reason: A valid SubjectConfirmation was not found on this Response: SubjectConfirmationData doesn’t match a valid Recipient

The above does not make sense to me and there is no further information in the logs.

We are using PingFederate as our IDP. This worked fine on version 7.9.6, but failed when upgraded to 8.9.8

Any suggestions to fix this will be of great help.

Murali

ganncamp · July 22, 2022, 11:57am

Hi Murali,

Sorry, but everything I would have for you I would pull out of the guide you started by citing.

Ann