Problem statement
SSO integration for SonarQube/Jenkins breaks when changing the callback URL from the Auth0 UI. When trying to log in, the following error is received:
invalid_request: No attribute was found to generate the nameIdentifier. We tried with:
Cause
This is because “nameIdentifierProbes” was set to an empty array in the SAML web app addon.
Solution
Delete the SSO integration, and upon reinstalling, it works as expected as long as changes are not made.
A fix can be applied. Update the SSO integration using the Auth0 Management API (PATCH /api/v2/clients/{id}) to fix it. These are the steps needed to follow:
- Use the Management API endpoint mentioned here.
- Get the Client ID for this SSO integration in the Auth0 Dashboard > Applications > SSO Integrations > SonarQube > See the Client ID on top, below the name.
- Use the following body in the PATCH request to fix the implementation:
{
"addons": {
"samlp": {
"issuer": "urn:<tenant-name>",
"mappings": {
"name": "name",
"email": "email"
},
"createUpnClaim": true,
"passthroughClaimsWithNoMapping": true,
"mapUnknownClaimsAsIs": false,
"mapIdentities": true,
"signatureAlgorithm": "rsa-sha1",
"digestAlgorithm": "sha1",
"lifetimeInSeconds": 3600,
"signResponse": false,
"typedAttributes": true,
"includeAttributeNameFormat": true,
"nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
"nameIdentifierProbes": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress""
],
"authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified",
"logout": {
"slo_enabled": true
},
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
}
}
}
Replace with the name of the Auth0 tenant.
Please note that it breaks again if any changes are made through the Auth0 Dashboard.
Also, the above settings are valid for the SonarQube SSO integration. For Jenkins, try creating a new integration and retrieving the settings from the new SSO integration, then using that to PATCH the broken one.