search
Ctrlk
Start FreeLogin

Set up SCIM

If Single Sign-On (SSO) is used in your SonarQube Cloud enterprise for user authentication, you can set up SCIM to automate provisioning. SCIM provisioning is supported with any identity provider.

This feature requires the Enterprise license.

For more information about the provisioning feature, see Related pages.

circle-exclamation

With SCIM provisioning, users and groups are managed exclusively in your identity provider.

To set up SCIM provisioning in your enterprise, you must be the administrator of the enterprise in SonarQube Cloud.

1

hashtag
Start the Provisioning setup assistant

  1. Retrieve your enterprise. For more information, see Retrieving and viewing your enterprise.

  2. Go to Administration > SSO & Provisioning. The SSO & Provisioning page opens.

Select the Set up provisioning button.

  1. Expand the Provisioning (SCIM) section and select Set up provisioning. The Configure Your Connection page opens.

Select Provisioning to set up SCIM provisioning.
triangle-exclamation

  • Before setting up SCIM provisioning, you must resolve any warnings notified on this page for Single Sign-On! If it’s the case, select Single Sign-On and follow the instructions of the setup assistant. For more information, see Troubleshooting SSO and provisioning.

  • Note that the attribute mapping was changed recently. If your SSO setup was performed before this change, a warning will be displayed. In that case, follow the instructions to update your mapping in SonarQube Cloud. Check also the attribute mapping in your identity provider to make sure it matches the new SonarQube Cloud's mapping. For more information, see Create and set up the SonarQube Cloud application in your identity provider.

  1. Select Provisioning. The SCIM provisioning setup assistant opens.

You will copy values from the SCIM provisioning setup assistant to your identity provider's application for SonarQube Cloud.
2

hashtag
Set up SCIM provisioning in your identity provider

In this step, you will configure your identity provider’s application for SonarQube Cloud by copying values from SonarQube Cloud’s SCIM provisioning setup assistant. The configuration depends on your identity provider.

chevron-rightWith Oktahashtag

  1. In Okta, open the application used to manage Single Sign-On in SonarQube Cloud.

  2. In the General tab, in App Settings, select Edit.

  3. In Provisioning, select SCIM and save. The Provisioning tab is added to your application.

In your Okta application for SonarQube Cloud, enable SCIM provisioning.

  1. Open the Provisioning tab.

  2. In SCIM Connection, set the parameters as described below:

    • SCIM connector base URL: Copy-paste the Provisioning Endpoint URL from SonarQube Cloud’s setup assistant.

    • Unique identifier field for users: Copy-paste the User ID attribute value in Required attributes from SonarQube Cloud’s setup assistant.

    • Supported provisioning actions: Select the following options:

      • Import New Users and Profile Updates

      • Push New Users

      • Push Profile Updates

    • Authentication Mode: HTTP Header

  3. In SonarQube Cloud’s SCIM provisioning setup assistant, select Generate Token in the Bearer Token section.

  4. Copy the generated token.

Copy the generated token by selecting the Copy And Close button and paste it where it belongs to..

  1. In your identity provider, in the HTTP Header section, paste the token into Bearer.

In your Okta application for SonarQube Cloud, set the SCIM connection in the Provisioning tab.

  1. Select Test Connector Configuration. The test starts. Note that only user deprovisioning is currently supported in SonarQube Cloud.

Test the SCIM connection in your Okta application for SonarQube.

  1. Close the test configuration window.

  2. Select Save.

  3. In SonarQube Cloud’s SCIM provisioning setup assistant, select Done.

chevron-rightWith Microsoft Entra IDhashtag

  1. In Microsoft Entra ID, go to Identity > Applications > Enterprise applications > All applications and select the application created for SonarQube Cloud.

  2. On the application’s page, select Provisioning in the left-hand side menu.

  3. In the top menu bar, select New configuration.

Select the New configuration button in the Provisioning page of the SonarQube Cloud app.

  1. In Admin credentials, set the fields as follows:

    • Select authentication method: Select Bearer authentication

    • Secret token: In SonarQube Cloud’s SCIM provisioning setup assistant, select Generate Token in the Bearer Token section.

      Copy the generated token and paste it to this field.

    • Tenant URL: Copy-paste the Provisioning Endpoint URL from SonarQube Cloud’s setup assistant. See Warning below.

circle-exclamation

For the Tenant URL, you currently have to follow the additional step defined in Flags to alter the SCIM behaviorarrow-up-right and add ?aadOptscim062020 to the end of the URL value.

Set the Admin credentials parameters.

  1. Select the Test connection button. You should see a success pop-up at the top right corner of the page.

A success pop-up is dispayed in the top right corner if the connection test was successful.

  1. Select the Create button.

  2. In the left-hand side menu, select Attribute mapping.

Select Attribute mapping.

  1. Select Provision Microsoft Entra ID Groups. The Attribute Mapping dialog for groups opens.

  2. Ensure the feature is enabled and the Create, Update and Delete actions are selected in Target Object Actions.

Enable the feature and select all Target Object Actions.

  1. Return to the previous page and select Provision Microsoft Entra ID Users. The Attribute Mapping dialog for users opens.

  2. Ensure the feature is enabled and the Create, Update and Delete actions are selected in Target Object Actions.

Make sure Enabled is set to Yes and the Target Objects Actions are all enabled.

  1. In Attribute Mappings , map the userName customappsso Attribute (target) to the Microsoft Entra ID Attribute (source) used as SAML user login attribute in your SAML configuration. For example, if your login attribute is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress in your SonarQube Server’s SAML configuration and it is mapped to user.userprincipalname (default), use userprincipalname here. Otherwise, if it is mapped to user.mail, then use mail instead.

map the userName customappsso Attribute (target) to the Microsoft Entra ID Attribute (source) used as SAML user login attribute in your SAML configuration.

  1. Click Save. This takes you back to the Provisioning page.

  2. Ensure that Provisioning Mode is Automatic.

  3. Open the Settings section and in the Scope subsection, select Sync only assigned users and groups.

In MS Entra ID, select Sync only assigned users and groups

  1. Set the Provisioning Status to On and click Save.

  2. Go back to the Overview page and select the Start provisioning button.

Select the Start provisioning button on the Overview page.

  1. In SonarQube Cloud’s SCIM provisioning setup assistant, select Done.

circle-info

Microsoft Entra ID runs a SCIM synchronization every 40 minutes. Changes in Microsoft Entra ID are not reflected immediately in SonarQube Cloud.

chevron-rightWith JumpCloudhashtag

  1. In JumpCloud, open the application used to manage Single Sign-On in SonarQube Cloud and open the Identity Management tab.

  2. In Configuration Settings > Service Provider (SP) Configuration set the fields as described below:

    • API Type: SCIM API

    • SCIM Version: SCIM 2.0

    • Base URL:

      1. Copy-paste the Provisioning Endpoint URL from SonarQube Cloud’s setup assistant.

      2. Remove the trailing slash from the URL. This step is very important. The SCIM connection will fail if the URL has a trailing slash.

    • Token Key: In SonarQube Cloud’s SCIM provisioning setup assistant, select Generate Token in the Bearer Token section. Copy the generated token and paste it to this field.

    • Test User Email: Enter any email address.

Select SCIM API and SCIM 2.0, and copy-paste the base URL and token key from SonarQube Cloud
circle-exclamation

Make sure you remove the trailing slash from the base URL. The figure below shows the trailing slash.

Remove the trailing slash from the base URL copied from SonarQube Cloud

  1. Select the Test Connection button. If the test was successful, proceed with the setup.

  2. Unselect the Enable management of User Groups and Group Membership in this application option, and select Activate.

Unselect the Enable management of User Groups and Group Membership in this application option, and select Activate.

  1. In SonarQube Cloud’s SCIM provisioning setup assistant, select Done.

3

hashtag
Enable the SSO connection with SCIM

To enable the connection to your identity provider:

  • In SonarQube Cloud's setup assistant's page Configure Your Connection, select Enable Connection.

Select Enable Connection.
4

hashtag
Map your groups to organizations

Only groups that are both assigned to the SonarQube Cloud application in your identity provider and manually mapped to SonarQube Cloud organizations will be provisioned by SCIM. The following applies:

  • The same group can be mapped to several organizations.

  • You can update the group mapping anytime.

circle-info

Upon completion of this step, the groups will be created within your SonarQube Cloud organizations. Should a group with an identical name already exist, the members specified in your identity provider will be added to the existing group and any existing SSO member will be overwritten by the new member list. See also About SSO and provisioning.

You can either:

hashtag
Mapping all groups to all organizations

You can map all groups to all organizations in one click. If necessary, you can then refine the mapping as explained below in Defining a custom mapping.

Proceed as follows:

  1. Make sure the user groups are assigned to the SonarQube Cloud application in your identity provider.

  2. Retrieve your enterprise. For more information, see Retrieving and viewing your enterprise.

  3. Go to Administration > SSO & Provisioning. The SSO & Provisioning page opens.

Select the Map Groups button.

  1. Expand the IdP group mapping section and select the Map groups button. The button is only available if you have set up SSO and provisioning properly. The Group mapping page opens.

Select the Map all button.

  1. In the top right corner, select the Map all button. A confirmation dialog opens.

  2. Confirm. The mapping is started and may take several minutes. Don’t leave the page as long as the mapping is in progress. Once the mapping is complete, a Mapping complete dialog is displayed.

  3. Close the dialog. All groups are mapped to all organizations.

hashtag
Defining a custom mapping

  1. Make sure the user groups are assigned to the SonarQube Cloud application in your identity provider.

  2. Retrieve your enterprise. For more information, see Retrieving and viewing your enterprise.

  3. Go to Administration > SSO & Provisioning.

  4. Expand the IdP group mapping section and select the Map groups button. The button is only available if you have set up SSO and provisioning properly. The Group mapping page opens.

  5. In the SonarQube Organizations panel (a), select the organization you want to map.

  6. In the Map IdP groups to <organization> table (b), select the groups you want to map to your organization. You can filter the groups by using the Search IdP groups field. Toggle the selection of all groups by clicking the checkbox next to Group in the table header.

  7. Select Save changes (c). A confirmation dialog opens.

Select an organization. Then select the groups to be mapped to the organization. Save.

  1. Confirm the mapping. The mapping is started and may take several minutes. Don’t leave the page as long as the mapping is in progress. Once the mapping is complete, a Mapping complete dialog is displayed.

The SCIM group mapping is in progress. Don't leave the page.

  1. Close the dialog and proceed the same way for each organization.

5

hashtag
Define the permissions

Users and groups are now provisioned in SonarQube Cloud and you can set their permissions.

To manage the user and group permissions in your enterprise, see Managing the enterprise-related permissions.

To manage the user and group permissions in an organization, you can:

6

hashtag
Terminate

See Complete SSO setup.

hashtag
Related pages

PreviousSet up SSONextComplete SSO setup

Last updated

Was this helpful?