# Step 1: Set up SAML SSO
You must be the administrator of the enterprise in SonarQube Cloud.
{% stepper %}
{% step %}
### Start the SSO setup assistant
1. In SonarQube Cloud, retrieve your enterprise. See [retrieving-and-viewing-your-enterprise](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/managing-enterprise/retrieving-and-viewing-your-enterprise "mention")for more details.
2. Go to **Administration** > **SSO & Provisioning**. The **SSO & Provisioning** page opens.
3. In the top-right corner, select **Edit configuration**.
4. In the bottom-right corner, select **Get Started**. The **Configure Your Connection** page opens.
4. Select **Single Sign-On**. The SSO setup assistant opens.
5. Select **Custom SAML** and then **Next**. The first step **1. Create Application** of the SAML SSO setup assistant opens.
{% endstep %}
{% step %}
### Create and set up the SonarQube Cloud application in your identity provider
This step depends on your identity provider.
Okta
1. In Okta, under **Applications**, select **Create App Integration**.
2. In the dialog, select **SAML 2.0**.
3. Select **Next**.
4. Fill in the fields and options as described below.
* **General settings:**
* **App name**: SonarQube Cloud application name.
Example: SonarQube Cloud.
* **General settings** > **App visibility: Do not display application icon to users**: Select this option. (This is because SonarQube Cloud doesn’t support IdP-initiated SSO)
* **SAML settings:**
* **Single sign on URL**: Copy-paste the **Single Sign-On URL** field value from the setup assistant.
* **Audience URI (SP Entity ID)**: Copy-paste the **Service Provider Identity ID** field value from the setup assistant.
* **Response**: `Signed`
* **Assertion Signature**: `Signed`
* **Signature Algorithm**: `RSA-SHA256`
* *For assertion encryption:*
* **Assertion Encryption**: If you want to enable assertion encryption, select **Encrypted** and fill in the fields below.
* **Encryption Algorithm**: Select `AES256-GCM` for high security.
* **Key Transport Algorithm**: `RSA-OAEP`
* **Encryption Certificate**: The public X.509 certificate used by the identity provider to authenticate SAML messages.
{% hint style="danger" %}
Only a single sign-on URL is allowed. Attempting to configure URLs in **Other Requestable SSO URLs** will lead to errors in your SSO setup.
{% endhint %}
5. In the **Feedback** dialog, select **Finish** to confirm the creation of the SonarQube Cloud application.
6. In the setup assistant, select **Next** to go to the step **2. Configure Connection**.
#### 2. Configure Connection
1. In Okta’s SonarQube Cloud application, go to **Sign On** > **Settings** > **Sign on methods**. Copy the value of the **Metadata URL** field
2. Paste the copied value to the **Metadata URL** field in the **Automatic** tab of the setup assistant page.
3. In the assistant, select **Create Connection** and **Proceed.** SonarQube Cloud is trying to connect to your Identity Provider. If the connection is established, the assistant moves to step **3. Attribute Mapping**.
#### 3. Attribute Mapping
1. In Okta’s SonarQube Cloud application, go to **Sign On.**
2. Go down to the **Attribute statements** section and open the **Show legacy configuration** panel.
3. Select **Edit.**
4. In **Profile attribute statements**, add the attributes for Name, Login, and Email, and in **Group Attribute Statements**, add the attribute for Groups, as described below.
* Name attribute**:**
* **Name**: Copy the attribute's **Mapping** value from the assistant (use the Copy tool).
* **Name format**: `Unspecified`
* **Value**: `user.firstName`
* Login attribute:
* **Name**: Copy the attribute's **Mapping** value from the assistant (use the Copy tool).
* **Name format**: `Unspecified`
* **Value**: `user.login`
* Email attribute:
* **Name**: Copy the attribute's **Mapping** value from the assistant (use the Copy tool).
* **Name format**: `Unspecified`
* **Value**: `user.email`
* Groups attribute:
* **Name**: Copy the attribute's **Mapping** value from the assistant (use the Copy tool).
* **Name format**: `Unspecified`
* **Filter**: Select `Matches regex` and set the value to **`.*`**
5. Select **Save**.
6. In the SonarQube Cloud's setup assistant, select **Next** to go to the step **4. Test SSO**. See [#test-the-sso-connection](#test-the-sso-connection "mention").
Microsoft Entra ID
{% hint style="warning" %}
* Group synchronization doesn’t work with Microsoft Entra ID’s nested groups.
* Microsoft Entra ID’s SAML tokens have a limit regarding the number of groups a user can belong to (see the description of groups in the [Claims in SAML Token](https://learn.microsoft.com/en-us/entra/identity-platform/reference-saml-tokens#claims-in-saml-tokens) table). In such cases, you might need to reduce the number of groups the user is in.
{% endhint %}
Proceed as follows:
1. In Microsoft Entra ID, go to **Applications** > **Enterprise applications** > **All applications**.
2. Select **New application** and then **Create your own application**.
{% hint style="danger" %}
Make sure you choose **Create your own application**. Do not select the non-affiliated **Sonarqube** Microsoft Entra Gallery app, which contains configurations that may prevent proper integration.
{% endhint %}
3. Fill in the name and select the **Integrate any other application you don’t find in the gallery** option.
4. Select **Create**.
5. From the **Manage** section of the SonarQube Cloud application, go to **Single sign-on** > **SAML**.
6. In the **Basic SAML Configuration** section, select **Edit,** fill in the **Identifier** and the **Reply URL** fields as described below, and save:
* **Identifier (Entity ID)**: Copy-paste the **Service Provider Identity ID** field value from the setup assistant.
* **Reply URL (Assertion Consumer Service URL)**: Copy-paste the **Single Sign-On URL** field value from the setup assistant.
{% hint style="danger" %}
Only a single reply URL is allowed. Attempting to configure multiple reply URLs will lead to errors in your SSO setup.
{% endhint %}
7. In the setup assistant, select **Next** to go to the step **2. Configure Connection**.
#### 2. Configure Connection
1. In your SonarQube Cloud application in Microsoft Entra ID, go to **SAML Certificates**. Copy the value of the **App Federation Metadata Url** field and paste it into the **Metadata URL** field in the **Automatic** tab of the setup assistant page.
2. In the assistant, select **Create Connection** and **Proceed.** SonarQube Cloud is trying to connect to your Identity Provider. If the connection is established, the assistant moves to step **3. Attribute Mapping**.
#### **3. Attribute Mapping**
1. In Microsoft Entra ID, go to he **Attributes & Claims** section of your SonarQube Cloud application.
2. Remove the namespaced attributes added by Microsoft Entra ID and listed in the **Additional claims** section.
3. Select **Add new claim** and define a claim for the Email attribute. This attribute is used to manage the email of the user.
* In **Name**, paste the name copied from the Email's **Mapping** value in SonarQube Cloud's setup assistant.
* In **Source attribute**, select `user.mail` .
The figure below shows the setup assistant of SonarQube Cloud. Use the copy tool to copy the **Mapping** value.
2. The same way, define a claim for the Login attribute. This attribute is the unique name used to identify the user in SonarQube Cloud. In **Source attribute**, select `user.userprincipalname`.
3. The same way, define a claim for the Name attribute. This attribute is the full name of the user. In **Source attribute**, select `user.givenname` or your own user name attribute.
{% hint style="info" %}
The default list of attributes includes `user.givenname` (first name) and `user.surname` (last name). If you prefer to show the full name, you must create a new claim in MS Entra ID.
{% endhint %}
4. Select **Add a group claim** to define the Groups attribute. This attribute is used for automatic group synchronization. Set the parameters as follows:
* **Which groups associated with the user should be returned in the claim?**: **Groups assigned to the application**
* **Source attribute**: **Cloud-only group display names** or (if using on-prem Active Directory for group synchronisation) **sAMAccountName**
* **Emit group name for cloud-only groups option**: If you use sAMAccountName, select the option. Otherwise, ignore the option.
The figure below shows a group attribute definition example.
Save. The option to add a group will be unavailable and the group attribute will be listed with the other attributes in the **Additional claims** section as illustrated below.
5. In the setup assistant, select **Next** to go to the step **4. Test SSO**. See [#test-the-sso-connection](#test-the-sso-connection "mention").
JumpCloud
1. In JumpCloud, go to **SSO Applications** and select **+ Add New Application.**
2. Select Custom **Application** and select **Next.**
3. Click **Next**.
4. Select Manage **Single Sign-On (SSO)** and **Configure SSO with SAML**, and select **Next**.
5. Enter a display label and select **Save Application**. The application is created.
6. Select **Configure Application**.
7. In the **SSO** tab, in the **Configuration Settings** section, set the parameters as described below:
* **IdP Entity ID**: Don't change the default value.
* **SP Entity ID**: Copy-paste the **Single Sign-On URL** field value from the setup assistant.
* **ACS URL**: Copy-paste the **Single Sign-On URL** field value from the setup assistant to **Default URL**.
{% hint style="danger" %}
Only a single ACS URL is allowed. Attempting to configure multiple ACS URLs will lead to errors in your SSO setup.
{% endhint %}
8. In **JumpCloud Metadata** in the same section, select the **Copy Metadata URL** button.
9. In SonarQube Cloud's SAML SSO setup assistant, go the step **2. Configure Connection** and paste the copied value to **Metadata URL** in the **Automatic** tab.
10. Select **Create Connection** and then **Proceed.**
11. In SonarQube Cloud's SAML SSO setup assistant, go the step **3. Attribute Mapping**.
12. In the **SSO** tab of the JumpCloud's application, go to the **Attributes > User Attributes** section and add three new attributes with the values described below:
* Name attribute:
* **Service Provider Attribute Name**: Paste the name copied from the **Mapping** value in SonarQube Cloud's setup assistant.
* **JumpCloud Atttribute Name**: `username`
* Login attribute:
* **Service Provider Attribute Name**: Paste the name copied from the **Mapping** value in SonarQube Cloud's setup assistant.
* **JumpCloud Atttribute Name**: `displayname`
* Email attribute:
* **Service Provider Attribute Name**: Paste the name copied from the **Mapping** value in SonarQube Cloud's setup assistant.
* **JumpCloud Atttribute Name**: `email`
13. Under the **Constant Attributes** section, select the **Include Group Attribute** option. Copy the group attribute name from the assistant and paste it into **Groups Attribute Name**.
14. Select **Save**.
15. In SonarQube Cloud's SAML SSO setup assistant, select **Next** to go to step **4. Test SSO**. See [#test-the-sso-connection](#test-the-sso-connection "mention") below.
Other identity providers
1. Create the SonarQube Cloud application in your identity provider.
2. Copy the **Service Provider Identity ID** field value from the setup assistant and paste it into the corresponding field in your identity provider.
3. Copy the **Single Sign-On URL** field value from the setup assistant and paste it into the corresponding field in your identity provider.
{% hint style="danger" %}
Only a single sign-on URL is allowed. Attempting to configure multiple sign-on URLs in your identity provider will lead to errors in your SSO setup.
{% endhint %}
4. In SonarQube Cloud's SSO setup assistant, select **Next** to go to the step **2. Configure Connection**.
#### 2. Configure Connection
The operation is different depending on whether your identity provider supports the SAML metadata URL field (URL used by SonarQube Cloud to access metadata information) or not.
**Metadata URL supported**
1. In your SonarQube Cloud application in your identity provider, copy the value of the field corresponding to the SAML metadata URL .
2. Paste it into the **Metadata URL** field in the **Automatic** tab of the setup assistant page.
3. In the assistant, select **Create Connection** and **Proceed.** SonarQube Cloud is trying to connect to your Identity Provider. If the connection is established, the assistant moves to step **3. Attribute Mapping**.
**Metadata URL not supported**
1. In the assistant, select the **Manual** tab.
2. In your identity provider, copy the value of the SSO login URL field and paste it into **Single Sign-On Login URL** in the assistant.
3. In your identity provider, download the certificate and upload it to the assistant.
4. In the assistant, select **Create Connection** and **Proceed.** SonarQube Cloud is trying to connect to your Identity Provider. If the connection is established, the assistant moves to step **3. Attribute Mapping**.
#### 3. Attribute Mapping
1. In your identity provider, create the attributes for Name, Login, Email, and Groups (the group attribute is used for automatic group synchronization). To do so, for each attribute, copy the attribute's **Mapping** value from the assistant (use the Copy tool) and paste it into the attribute’s name field in your identity provider.
2. In the assistant, select **Next** to go to step **4. Test SSO**. See [#test-the-sso-connection](#test-the-sso-connection "mention").
{% endstep %}
{% step %}
### Test the SSO connection
1. In your identity provider, assign the user groups to the SonarQube Cloud application (to be able to perform the test, at least one group or user must be assigned).
2. In the SonarQube Cloud's setup assistant, select the **Test Connection** button. The test is started and the results are displayed on the page as illustrated below.
3. If the test was successful, select **Enable Connection** and **Proceed**.
4. If you want to set up SCIM provisioning, select **Provisioning** to open the SCIM provisioning setup assistant and follow the setup instructions from [#step-2-set-up-scim-provisioning-in-your-identity-provider](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/scim#step-2-set-up-scim-provisioning-in-your-identity-provider "mention").\
Otherwise, go to the next step below to enable the connection.
{% endstep %}
{% step %}
### Enable the SSO connection
Once you have enabled the connection to your identity provider, your users will be able to authenticate to SonarQube Cloud through SSO.
To enable the connection to your identity provider:
1. In SonarQube Cloud, go to **Administration** > **SSO & Provisioning**. The **SSO & Provisioning** page opens.
2. In **Single Sign-On (SAML)**, select the **Enable Connection** button.
A confirmation dialog opens.
2. Select **Proceed**.
{% endstep %}
{% endstepper %}
## Related pages
* [scim](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/setup/scim "mention")
* [map-groups](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/setup/map-groups "mention")
* [complete-setup](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/setup/complete-setup "mention")
* [edit-or-delete-sso-setup](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/edit-or-delete-sso-setup "mention")
* [troubleshooting](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/troubleshooting "mention")
