Complete SSO setup
How to complete your Single Sign-On (SSO) setup with SCIM or JIT provisioning in SonarQube Cloud.
If you don't use SCIM provisioning, verify first the user groups if not already done. See If using JIT provisioning (Verify groups and permissions).
Configure one-click access
SonarQube Cloud uses the Service Provider (SP) initiated SSO (Idp-initiated SSO is not supported). It means that SSO users must go to the login page of SonarQube Cloud.
If you want to use a shortcut link to access the SSO login, use https://sonarcloud.io/login/sso?enterprise_key=<enterprise_key>. You can copy this link directly from SonarQube Cloud as follows:
Retrieve your enterprise. See Retrieving and viewing your enterprise for more details.
Go to Administration > SSO & Provisioning.
Expand the Single sign-on section and select Copy link in front of the Configure one-click access field.
Invite users to sign in
You can now invite users to sign in to SonarQube Cloud with SSO. To do so, send them the login URL of your enterprise.
To retrieve the login URL of your enterprise:
Retrieve your enterprise. See Retrieving and viewing your enterprise for more details.
Go to Administration > SSO & Provisioning.
Expand the Single sign-on section and select Copy link in front of the Invite users to sign in field. You can now paste the copied URL to your invite message.
Users should check they have access to their organization(s) in SonarQube Cloud. If they used the DevOps platform service authentication before, they should check that:
They can perform their tasks as before.
If using Personal Access Tokens (PAT): They can generate their analysis tokens with their SSO account. (They can still use their DevOps platform service (DOP) account tokens to execute analysis as long as their DOP account still exists). Note that from the Team plan, it's highly recommended to use Scoped Organization Tokens (SOT) instead of PATs.
Terminate
Sign in to SonarQube Cloud with your DevOps Platform (DOP) account and grant your SSO account the Administer Enterprise permissions. See Managing the enterprise-related permissions for more details.
If you transitioned from a DevOps platform authentication service to SSO, you can remove the end users’ DOP accounts from the SonarQube Cloud organizations (see Adding organization members) and these users can delete their DOP account within SonarQube Cloud (see Deleting your account).
We recommend that you keep at least one or a few admin or service user accounts in the DevOps Platform. This is especially crucial if you use Bitbucket Cloud, as you are currently unable to link a SonarQube Cloud organization with a Bitbucket Cloud workspace using an SSO account.
Related pages
Related pages
Last updated
Was this helpful?