Setting up SAML SSO
On this page
With the Enterprise plan, you can transition from the DevOps platform authentication mode to Single Sign On (SSO) with any identity provider (IdP) that supports SAML. SonarCloud uses the Service Provider (SP) initiated SAML.
With SSO you benefit from:
- Increased security and a single source of truth for user authentication.
- Automatic group synchronization.
SAML SSO is set up for a given enterprise (see Setting up your enterprise). At SSO login time, users select the enterprise they want to access.
For more information, see SAML SSO user accounts.
To set up SAML SSO in your enterprise:
1. Verify the user groups of the enterprise’s organizations to ensure proper user onboarding through automatic group synchronization. For more information, see Automatic group synchronization in SAML SSO user accounts.
To do so, verify that:
- The user groups defined in your IdP service exist in the relevant organizations of your SonarCloud enterprise (i.e. a group with the same (context-sensitive) name exists in the relevant organization(s)).
- The user groups in SonarCloud have the correct permissions.
To manage the user groups in SonarCloud, see Managing the user groups in your organization.
Group definition example
The figure below shows a group definition example with Okta as IdP.
2. Register SonarCloud in the identity provider. See:
3. Test the SSO connection.
4. Send the SSO login URL to invite enterprise users to sign in to SonarCloud with SSO. Once they have signed in, their SAML SSO account is created in SonarCloud and they have access to their organization(s) through the automatic group synchronization with the identity provider. They should:
- Check that they have access to their organization(s) and can perform their tasks as before.
- Generate their analysis tokens with their SAML SSO account. (They can still use their DevOps platform service (DOP) account tokens to execute analysis as long as their DOP account still exists).
5. Sign up with SonarCloud by using the enterprise’s SSO log in URL. Your SAML SSO account has been created.
6. Sign in to SonarCloud with your DOP account and grant your SAML SSO account the Administer Enterprise permission: see Managing the enterprise permissions in Managing your enterprise.
7. Once the enterprise users have successfully transitioned to SAML SSO (and, during a trial, once you are sure you want to purchase the Enterprise plan), you can remove their DOP accounts from the organizations and the users can delete their DOP account. We recommend that you don’t remove the admin DOP accounts since, with a SAML SSO account, you currently cannot bind a SonarCloud organization with the corresponding DOP organization: See Onboarding a new organization on your enterprise.
When created, SAML SSO accounts will have no history. That means that comments on issues, favorite projects, etc., will not be transferred from the corresponding DOP account's history.
Related pages
- Setting up your enterprise
This page explains the different steps necessary to create and configure an enterprise. - Viewing your enterprise's billing and usage information
- Onboarding a new organization on your enterprise
Was this page helpful?
© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.
