# About SSO and provisioning

*This feature requires the SonarQube Cloud Enterprise license.*

You can use the Single Sign-On (SSO) authentication mode in your enterprise with SAML or OIDC. With SSO you benefit from:

* Increased security and a single source of truth for user authentication.
* Automatic user and group provisioning through SCIM.\
  If you don’t want to use SCIM, Just-in-Time (JIT) user provisioning is supported with the automatic group synchronization. 

{% hint style="success" %}
To set up SSO and/or SCIM in your enterprise, see [Set up SSO](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/set-up-sso.md) and [Set up SCIM](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/set-up-scim.md). You may also set up SSO through [Okta's Express Configuration](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/using-okta-express-configuration.md).
{% endhint %}

## SSO authentication <a href="#sso" id="sso"></a>

You can use the SAML or the OIDC protocol.

### Service Provider (SP) initiated SSO <a href="#sso" id="sso"></a>

SonarQube Cloud uses Service Provider (SP) initiated Single Sign-On (SSO). This process involves users attempting to log in to SonarQube Cloud, which then redirects them to your identity provider for authentication.

{% hint style="warning" %}
Identity Provider (IdP) initiated SSO is not supported.
{% endhint %}

{% hint style="info" %}
If you want to use a shortcut link to access the SSO login, use \
`https://sonarcloud.io/login/sso?enterprise_key=<enterprise_key>`.
{% endhint %}

### User login format <a href="#user-login-format" id="user-login-format"></a>

When creating a new user login, SonarQube Cloud systematically adds a random suffix to the login name to manage user misidentification risk.

{% hint style="info" %}
When setting up API-based automations related to users, don’t use the `login` field to retrieve a user. Use the `email` field instead.
{% endhint %}

### SAML SSO authentication flow <a href="#saml" id="saml"></a>

Users log directly into SonarQube Cloud with their SAML SSO credentials which are transmitted to an Auth0 server for authentication. Auth0 functions as the SAML service provider, bridging SonarQube Cloud and the identity provider.

The authentication flow is as follows:

1. The user enters their login for SAML SSO via SonarQube Cloud.
2. SonarQube Cloud redirects the authentication request to Auth0.
3. Auth0 forwards the SAML request to the SAML identity provider.
4. The SAML identity provider authenticates the user and generates a signed token containing the user’s information and privileges (SAML assertion). It sends the SAML assertion to Auth0. Optionally, the identity provider can encrypt this assertion with SonarQube Server’s certificate. Note that in that case, the SAML response, which contains the encrypted assertion, must be signed.
5. Auth0 sends the token to SonarQube Cloud.
6. SonarQube Cloud receives the token, verifies its signature and performs extra-authentication checks. If successful, the user is authenticated in SonarQube Cloud.

<figure><img src="/spaces/KXW79zfYFiA8incTvwZK/files/NZYmoNUhoJ7Al1V0ps8Y" alt="Users access SonarQube Cloud using their SAML SSO credentials, which are sent to an Auth0 server for authentication. Auth0 functions as the SAML service provider, bridging SonarQube and the identity provider."><figcaption></figcaption></figure>

{% hint style="info" %}
Auth0 may connect to the identity provider from one of the IP addresses listed [here](https://auth0.com/docs/secure/security-guidance/data-security/allowlist).
{% endhint %}

### OIDC SSO authentication flow <a href="#oidc" id="oidc"></a>

The authentication flow is as follows:

1. The user tries to log in to SonarQube Cloud.
2. SonarQube Cloud redirects the user to the OIDC provider for authentication.
3. The user authenticates to the OIDC provider using their credentials.
4. The OIDC provider generates an ID token and sends it to SonarQube Cloud.
5. SonarQube Cloud verifies the ID token and grants the end user access.

<figure><img src="/spaces/KXW79zfYFiA8incTvwZK/files/Hl9AEgUUjUK52MBuyxgl" alt="OIDC authentication flow diagram with SonarQube Cloud."><figcaption></figcaption></figure>

### Limitations <a href="#limitations" id="limitations"></a>

In an SSO-enabled enterprise:

* SSO users cannot be added to organizations outside of their enterprise.
* The GitHub member synchronization is disabled on any organization of the enterprise.
* Currently, an SSO user cannot bind a SonarQube Cloud organization to its corresponding Bitbucket Cloud workspace. They must use their DevOps platform (DOP) account to perform the binding.
* Both DevOps platform and SSO authentications are supported but only one SSO configuration can be managed.
* If you transition from the DevOps Platform authentication service to SSO:\
  When created in SonarQube Cloud, SSO accounts will have no history. That means that comments on issues, favorite projects, etc., will not be transferred from the corresponding DevOps Platform account’s history in SonarQube Cloud

## SCIM provisioning <a href="#scim" id="scim"></a>

You can use SCIM provisioning in SonarQube Cloud alongside Single Sign-On (SSO) to automate the user on- and off-boarding.

SCIM provisioning is supported with any identity provider.

{% hint style="success" %}
To set up SCIM provisioning in your enterprise, see [Set up SCIM](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/set-up-scim.md).
{% endhint %}

### Supported provisioning features <a href="#features" id="features"></a>

SCIM automates user and group provisioning and deprovisioning. This includes the synchronization of group memberships. These features are illustrated in the figure below and detailed in the following paragraphs.

<figure><img src="/spaces/KXW79zfYFiA8incTvwZK/files/FPV5cuAP4U6gkv02Wy7L" alt="The supported SCIM provisioning operations are user and group provisioning/deprovisioning. This includes the group membership sync."><figcaption></figcaption></figure>

{% hint style="info" %}

* An SSO user has access to an organization (and is a member of this organization) if they belong to a group within this organization.
* User and group permissions are set in SonarQube Cloud.
  {% endhint %}

#### User provisioning <a href="#user-provisioning" id="user-provisioning"></a>

When you create a user in your identity provider and add them to a group assigned to your SonarQube Cloud application, the user is automatically provisioned in SonarQube Cloud.

#### User deprovisioning <a href="#user-deprovisioning" id="user-deprovisioning"></a>

When you remove a user from your identity provider or you deactivate an account, a user deprovisioning is enforced in SonarQube Cloud as follows:

* All the user’s active sessions are revoked.
* The user’s SonarQube Cloud’s SSO account is deleted.
* The user’s personal access tokens are revoked.

#### Group provisioning <a href="#group-provisioning" id="group-provisioning"></a>

When you assign a group to the SonarQube Cloud application in your identity provider, it is automatically provisioned in SonarQube Cloud, provided it's mapped to the relevant SonarQube Cloud organization(s).

If a group with the same name already exists in a SonarQube Cloud organization, the members specified in your identity provider will be added to the existing group and any existing SSO member will be overwritten by the new member list (see also [#special-case-of-existing-groups-with-non-sso-users](#special-case-of-existing-groups-with-non-sso-users "mention")).

#### Group membership synchronization <a href="#group-sync" id="group-sync"></a>

When you add or remove a user to/from a group in your identity provider, the membership of the corresponding SCIM group in the relevant SonarQube Cloud organization(s) is updated.

#### Group deprovisioning <a href="#group-deprovisioning" id="group-deprovisioning"></a>

When you remove a group from your identity provider, the group is removed from all SonarQube Cloud’s organizations it was mapped to. When you unmap a group from an organization in SonarQube Cloud, the group is removed from that organization.

### SCIM provisioning flow <a href="#provisioning-flow" id="provisioning-flow"></a>

The SCIM provisioning flow with SonarQube Cloud is as follows:

1. The admin performs a provisioning operation in their identity provider, e.g. the admin adds a user to a group assigned to the SonarQube Cloud application.
2. The identity provider sends a SCIM request to SonarQube Cloud.
3. SonarQube Cloud interprets the request, e.g. SonarQube Cloud provisions the user.

<figure><img src="/spaces/KXW79zfYFiA8incTvwZK/files/MCU5Nb6JAA45FJ08A7I9" alt="When an admin creates a user in their identity provider, the identity provider sends a SCIM request to SonarQube Cloud that provisions the user."><figcaption></figcaption></figure>

### Limitations and special cases <a href="#limitations" id="limitations"></a>

This section lists the limitations and special cases related to SCIM provisioning.

#### Limitations on management

SCIM provisioning and deprovisioning operations are performed exclusively in your identity provider. It means that you cannot perform the following operations in SonarQube Cloud:

* Create or remove an SSO user.
* Add or remove an SSO user to/from an organization.
* Add or remove an SSO user to/from a SCIM group.
* Add SSO users to a non-SCIM group.

Regarding non-SSO users:

* You cannot add non-SSO users to a SCIM group.
* You can still create groups manually in SonarQube Cloud in case you need to manage non-SSO users.

{% hint style="info" %}
The user permissions of SSO users are defined exclusively in SonarQube Cloud through the SCIM groups they belong to.
{% endhint %}

#### SCIM group limits and provisioning rate <a href="#group-limits" id="group-limits"></a>

Due to constraints from Auth0, SCIM provisioning in your identity provider is subject to the following group limitations:

* The maximum number of groups is 10,000.
* The maximum number of members in a single group is 200,000.
* Nested groups are not supported.

In addition, the connection with your identity provider is limited to a maximum of 25 requests per second.

#### Special case of existing groups with non-SSO users <a href="#special-case" id="special-case"></a>

If a SCIM group contains non-SSO users (this may be the case if the group existed previously within the organization):

* The only manual operation permitted on this group in SonarQube Cloud is the manual removal of non-SSO users.
* If you remove this group in your IdP or unmap it from an organization, the SSO users will be removed from the group in SonarQube Cloud but the group itself and the non-SSO users will not be removed.

## Just-in-Time provisioning <a href="#just-in-time" id="just-in-time"></a>

If you choose not to configure auto-provisioning as part of your SSO authentication setup, SonarQube Cloud uses Just-In-Time (JIT) provisioning. This means that a user's SSO account is automatically created in SonarQube Cloud upon their first login using SSO.

With JIT provisioning, automatic group synchronization is supported.

### Automatic group synchronization <a href="#auto-group-sync" id="auto-group-sync"></a>

With the automatic group synchronization:

* A user in SonarQube Cloud is automatically added to an organization’s group within the enterprise if the user is a member of a group with the same name in the IdP. (The check is case-sensitive and excludes the organization’s default **Members** group.)
* The users added to a SonarQube Cloud group become members of the respective organization.\
  This is the only way a JIT SSO user is added to an organization. Note that if a user cannot be added to any group in SonarQube Cloud, they will land on an empty organization page.

<figure><img src="/spaces/KXW79zfYFiA8incTvwZK/files/PTKIfUfHunp8zgzhot7R" alt="Users in SonarQube Cloud are automatically added to an organization&#x27;s group if they are members of a group with the same name in the IdP. These users then become members of the respective SonarQube Cloud organization."><figcaption></figcaption></figure>

See [User group concept](/sonarqube-cloud/administering-sonarcloud/about-sonarqube-cloud-solution/user-management/user-group-concept.md) for more information about user groups in SonarQube Cloud.

{% hint style="info" %}
If a group with the same name is assigned to several organizations, the user account is added to all these groups and thus, is a member of all these organizations.
{% endhint %}

{% hint style="warning" %}
JIT SSO users' group memberships are reset to match those in your identity provider upon login. If you add a JIT SSO user to a SonarQube Cloud group that doesn't exist in the identity provider, the user will be removed from that group on their next login.
{% endhint %}

## Related pages <a href="#related-pages" id="related-pages"></a>

* [Setting up SSO](/sonarqube-cloud/getting-started-with-enterprise/setting-up-sso.md)
* [Editing or deleting SSO configuration](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/edit-or-delete-sso-setup.md)
* [Troubleshooting SSO and provisioning](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/troubleshooting.md)
* [User onboarding and offboarding](/sonarqube-cloud/administering-sonarcloud/managing-organization/users-and-permissions/user-on-and-offboarding.md#deleting-sso-account)
* [Managing user groups](/sonarqube-cloud/administering-sonarcloud/managing-organization/users-and-permissions/user-groups.md)

## Related online learning

* <i class="fa-desktop">:desktop:</i> [Initial SonarQube Cloud Enterprise set up](https://www.sonarsource.com/learn/course/sonarqube-cloud/e390f0fe-64f4-4840-b74c-e63598af72f2/initial-sonarqube-cloud-enterprise-set-up)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/about.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.