Update 11.7.2019: This works with 7.9.x as well.
I recently set up SonarQube 7.8 in a pure Windows environment running on a Windows 2019 server with a IIS reverse proxy for SSL off-loading. Authentication was set up via Microsoft ADFS.
This took some time to piece together so I thought I’d share my setup here.
Step 0: Set up the prerequisites
First install Chocolatey: https://chocolatey.org/install
Then use choco to install the packages that are required and according to your preference.
You can use the Azul Zulu OpenJDK 11 distribution instead of the Oracle JDK.
choco feature enable -n=allowGlobalConfirmation choco install unzip choco install glogg choco install vscode choco install hashcheck choco install wget choco install md5sums choco install zulu11
You can use choco to install any other packages you like and keep them updated.
Install IIS on your server from an elevated PowerShell shell:
Install-WindowsFeature -name Web-Server -IncludeManagementTools
Step 1: Set up SonarQube
Download the latest release and verify the checksum. You can find the latest zip file (community edition) and the corresponding .md5 and .sha files here:
Or just paste this into an command prompt window:
wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-7.8.zip wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-7.8.zip.sha
Verify packages with checksums or GPG
Verify that the file is not corrupted by right-clicking and selecting Properties. Assuming you have installed the HaskCheck extension with choco, switch over to the Checksums tab and paste in the value from the .sha file to check if it matches your local copy:
There are no SHA or MD5 checksum files provided with the developer edition, only a PGP signature. You can verify your developer edition packages (and other licensed editions) with the following:
choco install gnupg-modern wget https://binaries.sonarsource.com/sonarsource-public.key gpg --import sonarsource-public.key gpg --verify sonarqube-developer-7.8.zip.asc
Install the service
You can set SonarQube up quickly by unzipping it and running the .bat file that installs the service, have a quick look here:
If you are running in a production environment you may want to configure a proper database.
Tail the logs
After SonarQube is up start glogg to view the log files, press F to tail the log:
Step 2: Configure IIS
I set up two websites in IIS, one for redirects from HTTP to HTTPS and one for the reverse proxy.
Configure redirect from HTTP to HTTPS
Delete the default site (you don’t need it) and create a new site pointing to an empty document root. Bind it only to HTTP on port 80:
Then set it to redirect all requests to your HTTPS URL:
Configure the reverse proxy
Verify that SonarQube is up and running and is available on http://localhost:9000
You need a trusted certificate for your IIS site for everything to work correctly with ADFS. In my lab I set up Active Directory Certificate Services and generated a CA signed cert for my site.
I used the Digicert Certificate Utility to create a CSR for the lab website. Make sure you include the website name in the SAN list as well.
If you have an Internet facing host you can use Let’s Encrypt.
There are many client implementations you can choose from that work on Windows.
I have used the win-acme client for other projects and it works great.
Configure your site to listen only to HTTPS:
I also enabled “Require SSL” under SSL Settings but this is probably not needed:
Configure the modules
🎁 Important: Disable the feature “Reverse rewrite host in response headers” under the ARR feature settings:
You need to add two server variables for the site: ORIGINAL_URL and X_FORWARDED_PROTO. Add them by opening up the URL Rewrite feature for your HTTPS site and clicking on “View Server Variables…”:
Find and edit your web.config file for the configured HTTPS website and make sure it includes the following rewrite rules. You need to update the hostname to match yours:
Verify that your URL Rewrite feature has the two new rules, you might need to reload your site:
You should be able to access your SonarQube instance through the reverse proxy now.
Step 3: Configure ADFS
Open AD FS Management and right-click on “Relaying Party Trusts” and then click “Add Relaying Party Trust…”
Select “Claims aware” and click Start:
Select “Enter data about the relaying party manually” and click Next:
Enter any “Display name” you like, for example “SonarQube”. Click next.
Skip the certificate by clicking Next:
Check the “Enable support for the SAML 2.0 WebSSO protocol” box and type in the URL to your server, keeping the path (/oauth2/callback/saml):
I used the URL to my SonarQube server as the identifier:
On the next screen you can restrict access. In my lab setup I used “Permit everyone”.
Review your settings and finish:
Claim Issuance Policy for SonarQube:
💊 Note: For some reason I had to re-open these settings because it was not possible to select “Active Directory” as the Attribute store right after creating the relaying party trust.
This is how the rules should look like:
ADFS config should now be complete.
Step 4: Configure SonarQube
Start by setting your base server URL to your HTTPS URL, it’s under General Settings > General:
You may have to install the SAML module from the Marketplace before going further.
Open https://<your-sonarqube-server-hostname>/admin/settings?category=saml and set the following options:
Application ID: https://sonarqube.lab.local (match the ID in ADFS)
Provider Name: Lab_SAML (can be anything)
Provider ID: http://fs.lab.local/adfs/services/trust
Must match the entityID value found in the ADFS metadata:
You can find the metadata XML file at https://<your-adfs-server>/FederationMetadata/2007-06/FederationMetadata.xml
SAML login URL: https://fs.lab.local/adfs/ls/IdpInitiatedSignOn.aspx
Provider certificate: Paste in the value (single line, starts with MII… not the header or footer) from the Base64 export of the signing certificate. Click View Certificate > Details > Copy To File… > Next > Base-64
SAML user login attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
SAML user name attribute:
SAML user email attribute:
SAML group atrribute:
Here are screenshots of how your SAML configurating should look like:
After this you should be able to log in to SonarQube using your Active Directory Federation Services credentials.
I still have some work to do regarding groups, I will update this post when I have figured that out 😊
If you have any problems with your ADFS setup you should start with the diagnostics tool: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-diagnostics-analyzer
If there’s anything I missed please comment to this blog post, I want your feedback.
Or add a reply to this thread: https://community.sonarsource.com/t/guide-sonarqube-7-8-on-iis-with-adfs-saml-2-0-authentication/11052
You can also DM me: https://twitter.com/jakobjs