# SCIM provisioning

*SCIM provisioning is a beta feature, subject to the terms*[ *here*](https://www.sonarsource.com/legal/early-access/)*.*

You can use SCIM provisioning in SonarQube Cloud alongside Single Sign-On (SSO) to automate the user on- and off-boarding.

SCIM provisioning is supported with any identity provider.

{% hint style="success" %}
To set up SCIM provisioning in your enterprise, see [sso-and-scim-setup-introduction](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/setup/sso-and-scim-setup-introduction "mention").
{% endhint %}

## Supported provisioning features

SCIM automates user and group provisioning and deprovisioning. This includes the synchronization of group memberships. These features are illustrated in the figure below and detailed in the following paragraphs.

<figure><img src="broken-reference" alt="The supported SCIM provisioning operations are user and group provisioning/deprovisioning. This includes the group membership sync."><figcaption></figcaption></figure>

{% hint style="info" %}

* An SSO user has access to an organization (and is a member of this organization) if they belong to a group within this organization.&#x20;
* User and group permissions are set in SonarQube Cloud.
  {% endhint %}

### User provisioning

When you create a user in your identity provider and add them to a group assigned to your SonarQube Cloud application, the user is automatically provisioned in SonarQube Cloud.

### User deprovisioning

When you remove a user from your identity provider or you deactivate an account, a user deprovisioning is enforced in SonarQube Cloud as follows:&#x20;

* All the user’s active sessions are revoked.
* The user’s SonarQube Cloud’s SSO account is deleted.
* The user’s personal access tokens are revoked.

### Group provisioning&#x20;

When you assign a group to the SonarQube Cloud application in your identity provider, it is automatically provisioned in SonarQube Cloud, provided it's mapped to the relevant SonarQube Cloud organization(s).&#x20;

If a group with the same name already exists in a SonarQube Cloud organization, the members specified in your identity provider will be added to the existing group and any existing SSO member will be overwritten by the new member list (see also [#special-case-of-existing-groups-with-non-sso-users](#special-case-of-existing-groups-with-non-sso-users "mention")).

### Group membership synchronization

When you add or remove a user to/from a group in your identity provider, the membership of the corresponding SCIM group in the relevant SonarQube Cloud organization(s) is updated.

### Group deprovisioning

When you remove a group from your identity provider, the group is removed from all SonarQube Cloud’s organizations it was mapped to. When you unmap a group from an organization in SonarQube Cloud, the group is removed from that organization.

## SCIM provisioning flow

The SCIM provisioning flow with SonarQube Cloud is as follows:

1. The admin performs a provisioning operation in their identity provider, e.g. the admin adds a user to a group assigned to the SonarQube Cloud application.
2. The identity provider sends a SCIM request to SonarQube Cloud.
3. SonarQube Cloud interprets the request, e.g. SonarQube Cloud provisions the user.

<figure><img src="broken-reference" alt="When an admin creates a user in their identity provider, the identity provider sends a SCIM request to SonarQube Cloud that provisions the user."><figcaption></figcaption></figure>

## Limitations and special cases

### Limitations on management

SCIM provisioning and deprovisioning operations are performed exclusively in your identity provider. It means that you cannot perform the following operations in SonarQube Cloud:

* Create or remove an SSO user.
* Add or remove an SSO user to/from an organization.
* Add or remove an SSO user to/from a SCIM group.
* Add SSO users to a non-SCIM group.
* Add or remove an SSO user to/from an organization.

Regarding non-SSO users:

* You cannot add non-SSO users to a SCIM group.
* You can still create groups manually in SonarQube Cloud in case you need to manage non-SSO users.

{% hint style="info" %}
The user permissions of SSO users are defined exclusively in SonarQube Cloud through the SCIM groups they belong to.
{% endhint %}

### SCIM group limits and provisioning rate

Due to constraints from Auth0, SCIM provisioning in your identity provider is subject to the following group limitations:

* The maximum number of groups is 10,000.
* The maximum number of members in a single group is 200,000.
* Nested groups are not supported.

In addition, the connection with your identity provider is limited to a maximum of 25 requests per second.

### Special case of existing groups with non-SSO users

If a SCIM group contains non-SSO users (this may be the case if the group existed previously within the organization):

* The only manual operation permitted on this group in SonarQube Cloud is the manual removal of non-SSO users.
* If you remove this group in your IdP or unmap it from an organization, the SSO users will be removed from the group in SonarQube Cloud but the group itself and the non-SSO users will not be removed.

## Related pages

* [scim](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/setup/scim "mention")
* [update](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/update "mention")
* [setup](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/setup "mention")