SonarQube with Apache Reverse Proxy (SSPI auth) using http header x-forwarded-name does not collect user mail and groups

[quali...@gmail.com]

Dear,

For SonarQube 6.2 Authentication, I have setup Apache 2.4 as reverse proxy with SSL and SSO (SSPI). https://sonarApacheProxy -> passing http header REMOTE_USER (as x-forwarded-name) -> http://localhost:9000 (=sonarqube)

When authenticating on SQ server via http://localhost:9000, SQ properly queries ldaps and updates the fullname and groups.

When authenticating through the Apache reverse proxy, I can see my username, I'm connected to sonar, but no fullname & groups.

Sonar requires fullname, mail address & group memberships to come from the reverse proxy, but I can find no full documentation on this setup. Old SQ had a property sonar.security.updateUserAttributes=true that is no longer supported.

https://docs.sonarqube.org/display/SONAR/Authentication

Sonar.properties

sonar.security.realm=LDAP

ldap.url=ldaps://server:636

ldap.bindDn=account

ldap.bindPassword=***

sonar.forceAuthentication=true

 

# User Configuration

ldap.user.baseDn=working OU/DC

ldap.user.request=(&(objectClass=user)(sAMAccountName={login}))

ldap.user.realNameAttribute=cn

ldap.user.emailAttribute=mail

 

# Group Configuration

ldap.group.baseDn=working OU/DC

ldap.group.request=(&(objectClass=group)(member={dn}))

httpd.conf (apache reverse proxy)

RequestHeader set X-Forwarded-Proto "https"

RequestHeader set X-Forwarded-Port "443"

RequestHeader set X-Forwarded-Login expr=%{REMOTE_USER}

sonar web.log - authenticated via Apache reverse proxy (https://sonarApacheProxy)

2017.05.23 11:40:01 DEBUG web[...][o.s.s.u.NewUserNotifier] User created: myUserAccount. Notifying NewUserHandler handlers...

-> no new line calling identity provider to collect groups

sonar web.log - authenticated via http://localhost:9000

2017.05.23 11:42:47 DEBUG web[...][o.s.s.u.NewUserNotifier] User created: myUserAccount. Notifying NewUserHandler handlers...

2017.05.23 11:42:47 DEBUG web[...][o.s.s.a.UserIdentityAuthenticator] List of groups returned by the identity provider '[Group1, Group2]'

Should this be reported as SQ6.2 bug or can someone provide a docset on how to get these user attributes in Apache?

Goal is to have SSL connection with single sign-on to SonarQube.

Thanks!

[Julien Lancelot]

Hi,

In order for the SSO feature to synchronize groups, the header should the list of groups in the header : X-Forwarded-Groups

You can see more information about this feature in the sonar.properties file : https://github.com/SonarSource/sonarqube/blob/master/sonar-application/src/main/assembly/conf/sonar.properties#L160.

Regards,

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/2d8521e5-3deb-4b2d-9541-6f034dd48843%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Julien Lancelot | SonarSource

http://sonarsource.com

[quali...@gmail.com]

Thanks for your reply Julien. The sonar documentation describes to put the list of groups in header X-Forwarded-Groups, and refers to 'see documentation of your reverse proxy for feeding these headers'. But there is not a lot of documentation on Apache proxy setting the authenticated user attributes such as mail and groups.

I send REMOTE_USER (being the SSO authenticated username) to header X-Forwarded-Login. This gets me logged on to sonar, but full name, mail and groups in Sonar remain blank (as the http headers are not provided by reverse proxy).

When I connect through SSO reverse proxy, looking at the sonar web.log file, I do see a call notifying NewUserHandler, but that's it. The groups are not collected in sonar. 

Thanks.

Koen

2017.05.23 11:40:01 DEBUG web[...][o.s.s.u.NewUserNotifier] User created: myUserAccount. Notifying NewUserHandler handlers...

Op dinsdag 23 mei 2017 17:15:45 UTC+2 schreef Julien Lancelot: