# Just-in-Time provisioning

If you choose not to configure auto-provisioning as part of your SSO authentication setup, SonarQube Cloud uses Just-In-Time (JIT) provisioning. This means that a user's SSO account is automatically created in SonarQube Cloud upon their first login using SSO.

With JIT provisioning, automatic group synchronization is supported.

{% hint style="success" %}
To set up SSO wit JIT provisioning, see [set-up-sso-with-jit](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/set-up-sso-with-jit "mention").
{% endhint %}

## Automatic group synchronization

With the automatic group synchronization:

* A user in SonarQube Cloud is automatically added to an organization’s group within the enterprise if the user is a member of a group with the same name in the IdP. (The check is case-sensitive and excludes the organization’s default **Members** group.)
* The users added to a SonarQube Cloud group become members of the respective organization.\
  This is the only way a JIT SSO user is added to an organization. Note that if a user cannot be added to any group in SonarQube Cloud, they will land on an empty organization page.

<figure><img src="broken-reference" alt="Users in SonarQube Cloud are automatically added to an organization&#x27;s group if they are members of a group with the same name in the IdP. These users then become members of the respective SonarQube Cloud organization."><figcaption></figcaption></figure>

See [user-group-concept](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/about-sonarqube-cloud-solution/user-management/user-group-concept "mention") for more information about user groups in SonarQube Cloud.

{% hint style="info" %}
If a group with the same name is assigned to several organizations, the user account is added to all these groups and thus, is a member of all these organizations.
{% endhint %}

{% hint style="warning" %}
SSO users' group memberships are reset to match those in your identity provider upon login. If you add an SSO user to a SonarQube Cloud group that doesn't exist in the identity provider, the user will be removed from that group on their next login.
{% endhint %}

{% hint style="warning" %}
JIT SSO users' group memberships are reset to match those in your identity provider upon login. If you add a JIT SSO user to a SonarQube Cloud group that doesn't exist in the identity provider, the user will be removed from that group on their next login.
{% endhint %}

## Related pages

* [sso](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/about/sso "mention") (solution overview)
* [scim](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/about/scim "mention") (solution overview)
* [user-groups](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/managing-organization/users-and-permissions/user-groups "mention")