# Complete SSO setup

{% hint style="warning" %}
If you don't use SCIM provisioning, verify first the user groups if not already done. See [Set up SSO](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/set-up-sso.md#if-using-jit).
{% endhint %}

{% stepper %}
{% step %}

## Configure one-click access

SonarQube Cloud uses the Service Provider (SP) initiated SSO (**Idp-initiated SSO is not supported**). It means that SSO users must go to the login page of SonarQube Cloud. 

If you want to use a shortcut link to access the SSO login, use `https://sonarcloud.io/login/sso?enterprise_key=<enterprise_key>`. You can copy this link directly from SonarQube Cloud as follows:

1. Retrieve your enterprise. See [Retrieving and viewing your enterprise](/sonarqube-cloud/administering-sonarcloud/managing-enterprise/retrieving-and-viewing-your-enterprise.md) for more details.
2. Go to **Administration** > **SSO & Provisioning**.
3. Expand the **Single sign-on** section and select **Copy link** in front of the **Configure one-click access** field.
   {% endstep %}

{% step %}

## Invite users to sign in

You can now invite users to sign in to SonarQube Cloud with SSO. To do so, send them the login URL of your enterprise.

To retrieve the login URL of your enterprise:

1. Retrieve your enterprise. See [Retrieving and viewing your enterprise](/sonarqube-cloud/administering-sonarcloud/managing-enterprise/retrieving-and-viewing-your-enterprise.md) for more details.
2. Go to **Administration** > **SSO & Provisioning**.
3. Expand the **Single sign-on** section and select **Copy link** in front of the **Invite users to sign in** field. You can now paste the copied URL to your invite message.

<figure><img src="/spaces/KXW79zfYFiA8incTvwZK/files/gkQKqwnM3YC6gDqDTq8r" alt="Select the copy link button in front of Invite users to sign in to copy the SSO URL."><figcaption></figcaption></figure>

4. Users should check they have access to their organization(s) in SonarQube Cloud. If they used the DevOps platform service authentication before, they should check that:
   * They can perform their tasks as before.
   * If using Personal Access Tokens (PAT): They can generate their analysis tokens with their SSO account. (They can still use their DevOps platform service (DOP) account tokens to execute analysis as long as their DOP account still exists). Note that from the Team plan, it's highly recommended to use Scoped Organization Tokens (SOT) instead of PATs.
     {% endstep %}

{% step %}

## Terminate

1. Sign in to SonarQube Cloud with your DevOps Platform (DOP) account and grant your SSO account the Administer Enterprise permissions. See [Managing the enterprise-related permissions](/sonarqube-cloud/administering-sonarcloud/managing-enterprise/managing-the-enterprise-related-permissions.md) for more details.
2. If you transitioned from a DevOps platform authentication service to SSO, you can remove the end users’ DOP accounts from the SonarQube Cloud organizations (see [Adding organization members](/sonarqube-cloud/administering-sonarcloud/managing-organization/users-and-permissions/organization-members.md)) and these users can delete their DOP account within SonarQube Cloud (see [Deleting your account](/sonarqube-cloud/managing-your-account/deleting.md)).

{% hint style="warning" %}
We recommend that you keep at least one or a few admin or service user accounts in the DevOps Platform. This is especially crucial if you use Bitbucket Cloud, as you are currently unable to link a SonarQube Cloud organization with a Bitbucket Cloud workspace using an SSO account.
{% endhint %}
{% endstep %}
{% endstepper %}

## Related pages

* [Set up SSO](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/set-up-sso.md)
* [Set up SCIM](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/set-up-scim.md)
* [Editing or deleting SSO configuration](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/edit-or-delete-sso-setup.md)
* [Troubleshooting SSO and provisioning](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/troubleshooting.md)

## Related pages <a href="#related-pages" id="related-pages"></a>

* [Set up SSO](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/set-up-sso.md)
* [Set up SCIM](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/set-up-scim.md)
* [Editing or deleting SSO configuration](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/edit-or-delete-sso-setup.md)
* [Troubleshooting SSO and provisioning](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/troubleshooting.md)
* [Recovering enterprise admin access](/sonarqube-cloud/administering-sonarcloud/managing-enterprise/recovering-enterprise-admin-access.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/complete-setup.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.