# Set up SCIM
*This feature requires the Enterprise license.*
For more information about the provisioning feature, see [About SSO and provisioning](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/about.md#related-pages).
{% hint style="warning" %}
With SCIM provisioning, users and groups are managed exclusively in your identity provider.
{% endhint %}
To set up SCIM provisioning in your enterprise, you must be the administrator of the enterprise in SonarQube Cloud.
{% stepper %}
{% step %}
## Start the Provisioning setup assistant
1. Retrieve your enterprise. For more information, see [Retrieving and viewing your enterprise](/sonarqube-cloud/administering-sonarcloud/managing-enterprise/retrieving-and-viewing-your-enterprise.md).
2. Go to **Administration** > **SSO & Provisioning**. The **SSO & Provisioning** page opens.
3. Expand the **Provisioning (SCIM)** section and select **Set up provisioning**. The **Configure Your Connection** page opens.
{% hint style="danger" %}
* Before setting up SCIM provisioning, you must resolve any warnings notified on this page for Single Sign-On! If it’s the case, select **Single Sign-On** and follow the instructions of the setup assistant. For more information, see [Troubleshooting SSO and provisioning](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/troubleshooting.md).
* Note that the attribute mapping was changed recently. If your SSO setup was performed before this change, a warning will be displayed. In that case, follow the instructions to update your mapping in SonarQube Cloud. Check also the attribute mapping in your identity provider to make sure it matches the new SonarQube Cloud's mapping. For more information, see [Set up SSO](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/set-up-sso.md#create-and-set-up-the-sonarqube-cloud-application-in-your-identity-provider).
{% endhint %}
5. Select **Provisioning**. The SCIM provisioning setup assistant opens.
{% endstep %}
{% step %}
## Set up SCIM provisioning in your identity provider
In this step, you will configure your identity provider’s application for SonarQube Cloud by copying values from SonarQube Cloud’s SCIM provisioning setup assistant. The configuration depends on your identity provider.
With Okta
1. In Okta, open the application used to manage Single Sign-On in SonarQube Cloud.
2. In the **General** tab, in **App Settings**, select **Edit**.
3. In **Provisioning**, select **SCIM** and save. The **Provisioning** tab is added to your application.
4. Open the **Provisioning** tab.
5. In **SCIM Connection**, set the parameters as described below:
* **SCIM connector base URL**: Copy-paste the **Provisioning Endpoint URL** from SonarQube Cloud’s setup assistant.
* **Unique identifier field for users**: Copy-paste the **User ID** attribute value in **Required attributes** from SonarQube Cloud’s setup assistant.
* **Supported provisioning actions**: Select the following options:
* **Import New Users and Profile Updates**
* **Push New Users**
* **Push Profile Updates**
* **Authentication Mode**: `HTTP Header`
6. In SonarQube Cloud’s SCIM provisioning setup assistant, select **Generate Token** in the **Bearer Token** section.
7. Copy the generated token.
6. In your identity provider, in the **HTTP Header** section, paste the token into **Bearer**.
8. Select **Test Connector Configuration**. The test starts. Note that only user deprovisioning is currently supported in SonarQube Cloud.
9. Close the test configuration window.
10. Select **Save**.
11. In SonarQube Cloud’s SCIM provisioning setup assistant, select **Done**.
With Microsoft Entra ID
1. In Microsoft Entra ID, go to **Identity** > **Applications** > **Enterprise applications** > **All applications** and select the application created for SonarQube Cloud.
2. On the application’s page, select **Provisioning** in the left-hand side menu.
3. In the top menu bar, select **New configuration**.
4. In **Admin credentials**, set the fields as follows:
* **Select authentication method**: Select **Bearer authentication**
* **Secret token**: In SonarQube Cloud’s SCIM provisioning setup assistant, select **Generate Token** in the **Bearer Token** section.
Copy the generated token and paste it to this field.
* **Tenant URL**: Copy-paste the **Provisioning Endpoint URL** from SonarQube Cloud’s setup assistant. See **Warning** below.
{% hint style="warning" %}
For the **Tenant URL**, you currently have to follow the additional step defined in [Flags to alter the SCIM behavior](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/application-provisioning-config-problem-scim-compatibility#flags-to-alter-the-scim-behavior) and add `?aadOptscim062020` to the end of the URL value.
{% endhint %}
5. Select the **Test connection** button. You should see a success pop-up at the top right corner of the page.
6. Select the **Create** button.
7. In the left-hand side menu, select **Attribute mapping**.
8. Select **Provision Microsoft Entra ID Groups**. The **Attribute Mapping** dialog for groups opens.
9. Ensure the feature is enabled and the **Create**, **Update** and **Delete** actions are selected in **Target Object Actions**.
10. Return to the previous page and select **Provision Microsoft Entra ID Users**. The **Attribute Mapping** dialog for users opens.
11. Ensure the feature is enabled and the **Create**, **Update** and **Delete** actions are selected in **Target Object Actions**.
12. In **Attribute Mappings** , map the `userName` **customappsso Attribute** (target) to the **Microsoft Entra ID Attribute** (source) used as SAML user login attribute in your SAML configuration.\
For example, if your login attribute is `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` in your SonarQube Server’s SAML configuration and it is mapped to `user.userprincipalname` (default), use `userprincipalname` here. Otherwise, if it is mapped to `user.mail`, then use `mail` instead.
13. Click **Save.** This takes you back to the **Provisioning** page.
14. Ensure that **Provisioning Mode** is **Automatic**.
15. Open the **Settings** section and in the **Scope** subsection, select **Sync only assigned users and groups**.
15. Set the **Provisioning Status** to **On** and click **Save**.
16. Go back to the **Overview** page and select the **Start provisioning** button.
17. In SonarQube Cloud’s SCIM provisioning setup assistant, select **Done**.
{% hint style="info" %}
Microsoft Entra ID runs a SCIM synchronization every 40 minutes. Changes in Microsoft Entra ID are not reflected immediately in SonarQube Cloud.
{% endhint %}
With JumpCloud
1. In JumpCloud, open the application used to manage Single Sign-On in SonarQube Cloud and open the **Identity Management** tab.
2. In **Configuration Settings** > **Service Provider (SP) Configuration** set the fields as described below:
* **API Type**: `SCIM API`
* **SCIM Version**: `SCIM 2.0`
* **Base URL**:
1. Copy-paste the **Provisioning Endpoint URL** from SonarQube Cloud’s setup assistant.
2. Remove the trailing slash from the URL. **This step is very important. The SCIM connection will fail if the URL has a trailing slash.**
* **Token Key**: In SonarQube Cloud’s SCIM provisioning setup assistant, select **Generate Token** in the **Bearer Token** section. Copy the generated token and paste it to this field.
* **Test User Email**: Enter any email address.
{% hint style="warning" %}
Make sure you remove the trailing slash from the base URL. The figure below shows the trailing slash.
{% endhint %}
4. Select the **Test Connection** button. If the test was successful, proceed with the setup.
5. Unselect the **Enable management of User Groups and Group Membership in this application** option, and select **Activate**.
6. In SonarQube Cloud’s SCIM provisioning setup assistant, select **Done**.
{% endstep %}
{% step %}
## Enable the SSO connection with SCIM
To enable the connection to your identity provider:
* In SonarQube Cloud's setup assistant's page **Configure Your Connection**, select **Enable Connection**.
{% endstep %}
{% step %}
## Map your groups to organizations
Only groups that are both assigned to the SonarQube Cloud application in your identity provider and manually mapped to SonarQube Cloud organizations will be provisioned by SCIM. The following applies:
* The same group can be mapped to several organizations.
* You can update the group mapping anytime.
{% hint style="info" %}
Upon completion of this step, the groups will be created within your SonarQube Cloud organizations. Should a group with an identical name already exist, the members specified in your identity provider will be added to the existing group and any existing SSO member will be overwritten by the new member list. See also [About SSO and provisioning](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/about.md#special-case-of-existing-groups-with-non-sso-users).
{% endhint %}
You can either:
* [Map all groups to all organizations](#mapping-all-groups-to-all-organizations).
* or [define a custom mapping](#defining-a-custom-mapping).
### Mapping all groups to all organizations
You can map all groups to all organizations in one click. If necessary, you can then refine the mapping as explained below in [#defining-a-custom-mapping](#defining-a-custom-mapping "mention").
Proceed as follows:
1. Make sure the user groups are assigned to the SonarQube Cloud application in your identity provider.
2. Retrieve your enterprise. For more information, see [Retrieving and viewing your enterprise](/sonarqube-cloud/administering-sonarcloud/managing-enterprise/retrieving-and-viewing-your-enterprise.md).
3. Go to **Administration** > **SSO & Provisioning**. The **SSO & Provisioning** page opens.
4. Expand the **IdP group mapping** section and select the **Map groups** button. The button is only available if you have set up SSO and provisioning properly.\
The **Group mapping** page opens.
5. In the top right corner, select the **Map all** button. A confirmation dialog opens.
6. Confirm. The mapping is started and may take several minutes. Don’t leave the page as long as the mapping is in progress.\
Once the mapping is complete, a **Mapping complete** dialog is displayed.
7. Close the dialog. All groups are mapped to all organizations.
### Defining a custom mapping
1. Make sure the user groups are assigned to the SonarQube Cloud application in your identity provider.
2. Retrieve your enterprise. For more information, see [Retrieving and viewing your enterprise](/sonarqube-cloud/administering-sonarcloud/managing-enterprise/retrieving-and-viewing-your-enterprise.md).
3. Go to **Administration** > **SSO & Provisioning**.
4. Expand the **IdP group mapping** section and select the **Map groups** button. The button is only available if you have set up SSO and provisioning properly.\
The **Group mapping** page opens.
5. In the **SonarQube Organizations** panel (a), select the organization you want to map.
6. In the **Map IdP groups to \** table (b), select the groups you want to map to your organization. You can filter the groups by using the **Search IdP groups** field. Toggle the selection of all groups by clicking the checkbox next to **Group** in the table header.
7. Select **Save changes** (c). A confirmation dialog opens.
8. Confirm the mapping. The mapping is started and may take several minutes. Don’t leave the page as long as the mapping is in progress.\
Once the mapping is complete, a **Mapping complete** dialog is displayed.
9. Close the dialog and proceed the same way for each organization.
{% endstep %}
{% step %}
### Define the permissions
Users and groups are now provisioned in SonarQube Cloud and you can set their permissions.
To manage the user and group permissions in your enterprise, see [Managing the enterprise-related permissions](/sonarqube-cloud/administering-sonarcloud/managing-enterprise/managing-the-enterprise-related-permissions.md).
To manage the user and group permissions in an organization, you can:
* Define the users and/or groups that can create projects in the organization. See [Managing organization permissions](/sonarqube-cloud/administering-sonarcloud/managing-organization/users-and-permissions/organization-permissions.md) for more details.
* Verify the default permissions on new projects. See [Using permission templates](/sonarqube-cloud/administering-sonarcloud/managing-organization/manage-org-projects/manage-project-permissions/templates.md) for more details.
{% endstep %}
{% step %}
## Terminate
See [Complete SSO setup](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/complete-setup.md).
{% endstep %}
{% endstepper %}
## Related pages
* [Set up SSO](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/set-up-sso.md)
* [Complete SSO setup](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/complete-setup.md)
* [Editing or deleting SSO configuration](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/edit-or-delete-sso-setup.md)
* [Troubleshooting SSO and provisioning](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/troubleshooting.md)
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/set-up-scim.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.