Configuring SonarQube 7.8 on Windows 2019 with ADFS SAML 2.0 authentication and IIS reverse proxy

Update 11.7.2019: This works with 7.9.x as well.

I recently set up SonarQube 7.8 in a pure Windows environment running on a Windows 2019 server with a IIS reverse proxy for SSL off-loading. Authentication was set up via Microsoft ADFS.
This took some time to piece together so I thought I’d share my setup here.

Step 0: Set up the prerequisites

First install Chocolatey: https://chocolatey.org/install
Then use choco to install the packages that are required and according to your preference.
You can use the Azul Zulu OpenJDK 11 distribution instead of the Oracle JDK.

choco feature enable -n=allowGlobalConfirmation
choco install unzip
choco install glogg
choco install vscode
choco install hashcheck
choco install wget
choco install md5sums 
choco install zulu11

You can use choco to install any other packages you like and keep them updated.

Install IIS on your server from an elevated PowerShell shell:

Install-WindowsFeature -name Web-Server -IncludeManagementTools

Step 1: Set up SonarQube

Download the latest release and verify the checksum. You can find the latest zip file (community edition) and the corresponding .md5 and .sha files here:
https://binaries.sonarsource.com/Distribution/sonarqube/
Or just paste this into an command prompt window:

wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-7.8.zip
wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-7.8.zip.sha

Verify packages with checksums or GPG

Verify that the file is not corrupted by right-clicking and selecting Properties. Assuming you have installed the HaskCheck extension with choco, switch over to the Checksums tab and paste in the value from the .sha file to check if it matches your local copy:

There are no SHA or MD5 checksum files provided with the developer edition, only a PGP signature. You can verify your developer edition packages (and other licensed editions) with the following:

choco install gnupg-modern
wget https://binaries.sonarsource.com/sonarsource-public.key
gpg --import sonarsource-public.key
gpg --verify sonarqube-developer-7.8.zip.asc

Install the service

You can set SonarQube up quickly by unzipping it and running the .bat file that installs the service, have a quick look here:
https://docs.sonarqube.org/latest/setup/get-started-2-minutes/
If you are running in a production environment you may want to configure a proper database.

Tail the logs

After SonarQube is up start glogg to view the log files, press F to tail the log:

Step 2: Configure IIS

I set up two websites in IIS, one for redirects from HTTP to HTTPS and one for the reverse proxy.

Configure redirect from HTTP to HTTPS

Delete the default site (you don’t need it) and create a new site pointing to an empty document root. Bind it only to HTTP on port 80:

Then set it to redirect all requests to your HTTPS URL:

Configure the reverse proxy

Set up all the prerequisite software on IIS, including Application Request Routing and the URL Rewrite modules. You can download each module from the linked sites or use the Web Platform Installer.

Verify that SonarQube is up and running and is available on http://localhost:9000

SSL

You need a trusted certificate for your IIS site for everything to work correctly with ADFS. In my lab I set up Active Directory Certificate Services and generated a CA signed cert for my site.
I used the Digicert Certificate Utility to create a CSR for the lab website. Make sure you include the website name in the SAN list as well.

If you have an Internet facing host you can use Let’s Encrypt.
There are many client implementations you can choose from that work on Windows.
I have used the win-acme client for other projects and it works great.

Configure your site to listen only to HTTPS:

I also enabled “Require SSL” under SSL Settings but this is probably not needed:

Configure the modules

🎁 Important: Disable the feature “Reverse rewrite host in response headers” under the ARR feature settings:

You need to add two server variables for the site: ORIGINAL_URL and X_FORWARDED_PROTO. Add them by opening up the URL Rewrite feature for your HTTPS site and clicking on “View Server Variables…”:

Find and edit your web.config file for the configured HTTPS website and make sure it includes the following rewrite rules. You need to update the hostname to match yours:

Verify that your URL Rewrite feature has the two new rules, you might need to reload your site:

You should be able to access your SonarQube instance through the reverse proxy now.

Step 3: Configure ADFS

Open AD FS Management and right-click on “Relaying Party Trusts” and then click “Add Relaying Party Trust…”

Select “Claims aware” and click Start:

Select “Enter data about the relaying party manually” and click Next:

Enter any “Display name” you like, for example “SonarQube”. Click next.

Skip the certificate by clicking Next:

Check the “Enable support for the SAML 2.0 WebSSO protocol” box and type in the URL to your server, keeping the path (/oauth2/callback/saml):

I used the URL to my SonarQube server as the identifier:

On the next screen you can restrict access. In my lab setup I used “Permit everyone”.

Review your settings and finish:

Claim Issuance Policy for SonarQube:

💊 Note: For some reason I had to re-open these settings because it was not possible to select “Active Directory” as the Attribute store right after creating the relaying party trust.

This is how the rules should look like:

ADFS config should now be complete.

Step 4: Configure SonarQube

Start by setting your base server URL to your HTTPS URL, it’s under General Settings > General:

You may have to install the SAML module from the Marketplace before going further.

Open https://<your-sonarqube-server-hostname>/admin/settings?category=saml and set the following options:

Enabled: On
Application ID: https://sonarqube.lab.local (match the ID in ADFS)
Provider Name: Lab_SAML (can be anything)
Provider ID: http://fs.lab.local/adfs/services/trust
Must match the entityID value found in the ADFS metadata:

You can find the metadata XML file at https://<your-adfs-server>/FederationMetadata/2007-06/FederationMetadata.xml

SAML login URL: https://fs.lab.local/adfs/ls/IdpInitiatedSignOn.aspx
Provider certificate: Paste in the value (single line, starts with MII… not the header or footer) from the Base64 export of the signing certificate. Click View Certificate > Details > Copy To File… > Next > Base-64

SAML user login attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
SAML user name attribute:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
SAML user email attribute:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
SAML group atrribute:
http://schemas.xmlsoap.org/claims/Group

Here are screenshots of how your SAML configurating should look like:

Testing

After this you should be able to log in to SonarQube using your Active Directory Federation Services credentials.

I still have some work to do regarding groups, I will update this post when I have figured that out 😊

Other issues

ADFS issues

If you have any problems with your ADFS setup you should start with the diagnostics tool: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-diagnostics-analyzer

Credit

https://blogs.msdn.microsoft.com/visualstudioalmrangers/2016/06/04/running-sonarqube-behind-an-iis-reversed-proxy/

https://docs.sonarqube.org/display/PLUG/SAML+Authentication+Plugin

If there’s anything I missed please comment to this blog post, I want your feedback.

Or add a reply to this thread: https://community.sonarsource.com/t/guide-sonarqube-7-8-on-iis-with-adfs-saml-2-0-authentication/11052

You can also DM me: https://twitter.com/jakobjs

Jólaglögg

Til minnis 🙂

Jólaglögg 

Einfalt glögg
1 flaska jólaglögg (750ml)
1-2 pokar glöggmix
Fyrir lengra komna
1 flaska jólaglögg (750ml)
1 flaska rauðvín (750ml)
1-2 pokar glöggmix
Fullorðins
1 flaska jólaglögg (750ml)
1 flaska rauðvín (750ml)
1 dl púrtvín
1/2 dl koníak
1/2 dl dökkt romm
1-2 pokar glöggmix

Gott er að láta glögg-
mixið liggja í sterka
víninu í nokkra daga.

Tekið af https://www.ikea.is/jolaglogg