# Setting up SSO with JIT provisioning

If you choose not to configure auto-provisioning as part of your SSO authentication setup, SonarQube Cloud uses Just-In-Time (JIT) provisioning. This means that a user's SSO account is automatically created in SonarQube Cloud upon their first login using SSO. See [jit-provisioning](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/about/jit-provisioning "mention") for more details.

## Step 1: Verify the user groups

Before configuring setting up SSO with JIT provisioning, you must ensure that the automatic group synchronization can take place properly. To do so, verify that:

* The user groups defined in your IdP service exist in the relevant organizations of your SonarQube Cloud enterprise (i.e. a group with the same (context-sensitive) name exists in the relevant organization(s)).
* The user groups in SonarQube Cloud have the correct permissions.

{% hint style="warning" %}
JIT SSO users' group memberships are reset to match those in your identity provider upon login. If you add a JIT SSO user to a SonarQube Cloud group that doesn't exist in the identity provider, the user will be removed from that group on their next login.
{% endhint %}

To manage the user groups in SonarQube Cloud, see [user-groups](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/managing-organization/users-and-permissions/user-groups "mention").

### In Okta <a href="#okta" id="okta"></a>

The automatic group synchronization of a group applies if the group in Okta and the corresponding group in the SonarQube Cloud organization have the same (case-sensitive) name. Note that the default SonarQube Cloud’s Members group is excluded from the synchronization.

The figure below shows on the left groups defined in Okta and on the right the corresponding groups defined in SonarQube Cloud in two different organizations (`OrgA` and `OrgB`). In this example, the SSO users belonging to `ENT_ORGA_ADMINS` will be automatically added to the corresponding `EN_ORG_ADMINS` group in SonarQube Cloud. it means that they will have access to `OrgA` with the permissions defined in SonarQube Cloud.

<div align="left"><figure><img src="https://2223713658-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FB4UT2GNiZKjtxFtcFAL7%2Fuploads%2Fgit-blob-ec5c691e7e965d7e844d77914312cd4e05eeb10f%2F02fbdbff622df1152926bc75d1ad8573150940af.png?alt=media" alt="Okta groups (shown on left as your SSO application) map to SonarQube Cloud groups (shown on right as OrgA and OrgB) in different organizations."><figcaption></figcaption></figure></div>

### In Microsoft Entra ID <a href="#entra-id" id="entra-id"></a>

The automatic group synchronization of a group applies if the group in Microsoft Entra ID and the corresponding group in the SonarQube Cloud organization have the same (case-sensitive) name. Note that the default SonarQube Cloud’s Members group is excluded from the synchronization.

The figure below shows on the left groups defined in Microsoft Entra ID and on the right the corresponding groups defined in SonarQube Cloud in two different organizations (`Docs-Team` and `claudiasonarova 2023`). In this example, the SSO users belonging to `Communications` will be automatically added to the corresponding `Communications` group in SonarQube Cloud. it means that they will have access to the `Docs-Team` organization with the permissions defined in SonarQube Cloud.

<div align="left"><figure><img src="https://2223713658-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FB4UT2GNiZKjtxFtcFAL7%2Fuploads%2Fgit-blob-ea8da8d67217c89265eada0a51a131b25d7f14d8%2F9d52adf2061ffd948720829f2d07a24faa939b8f.png?alt=media" alt="Microsoft Entra ID groups (shown on left as your SSO application) map to SonarQube Cloud groups (shown on right as OrgA and OrgB) in different organizations."><figcaption></figcaption></figure></div>

{% hint style="warning" %}

* Group synchronization doesn’t work with Microsoft Entra ID’s nested groups.
* Microsoft Entra ID’s SAML tokens have a limit regarding the number of groups a user can belong to (see the description of groups in the [Claims in SAML Token](https://learn.microsoft.com/en-us/entra/identity-platform/reference-saml-tokens#claims-in-saml-tokens) table). In such cases, you might need to reduce the number of groups the user is in.
  {% endhint %}

## Step 2: Set up SSO

See [saml-sso](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/setup/saml-sso "mention").

## Step 3: Invite users to sign in

You can now invite users to sign in to SonarQube Cloud with SSO. To do so, send them the login URL of your enterprise.

{% hint style="info" %}
SonarQube Cloud uses the Service Provider (SP) initiated SSO (Idp-initiated SSO is not supported). It means that SSO users must go to the login page of SonarQube Cloud.
{% endhint %}

When users sign in with SSO for the first time, their SSO account is created in SonarQube Cloud and they have access to their organization(s) through the automatic group synchronization with the identity provider. They should:

* Check that they have access to their organization(s) and can perform their tasks as before.
* If using Personal Access Tokens (PAT): generate their analysis tokens with their SSO account. (They can still use their DevOps platform service (DOP) account tokens to execute analysis as long as their DOP account still exists). Note that from the Team plan, it's highly recommended to use Scoped Organization Tokens (SOT) instead of PATs.

To retrieve the login URL of your enterprise:

1. Retrieve your enterprise. See [retrieving-and-viewing-your-enterprise](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/managing-enterprise/retrieving-and-viewing-your-enterprise "mention") for more details.
2. Go to **Administration** > **SSO & Provisioning**.
3. In **Single Sign-On (SSO via SAML)**, select the copy tool at the right of the SSO login URL field. You can now paste the copied URL to your invite message.

<figure><img src="broken-reference" alt="Select the copy tool to copy the SSO URL."><figcaption></figcaption></figure>

## Related pages <a href="#related-pages" id="related-pages"></a>

* [edit-or-delete-sso-setup](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/edit-or-delete-sso-setup "mention")
* [troubleshooting](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/troubleshooting "mention")
* [#deleting-sso-account](https://docs.sonarsource.com/sonarqube-cloud/managing-organization/users-and-permissions/user-on-and-offboarding#deleting-sso-account "mention")

## Related online learning

* <i class="fa-desktop">:desktop:</i> [Initial SonarQube Cloud Enterprise set up](https://www.sonarsource.com/learn/course/sonarqube-cloud/e390f0fe-64f4-4840-b74c-e63598af72f2/initial-sonarqube-cloud-enterprise-set-up)