# Step 2: Set up SCIM provisioning

*SCIM provisioning is a beta feature, subject to the terms*[ *here*](https://www.sonarsource.com/legal/early-access/)*.*

For more information about the provisioning feature, see [scim](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/about/scim "mention").

To set up SCIM provisioning in your enterprise, you must be the administrator of the enterprise in SonarQube Cloud. Follow the steps below.

{% stepper %}
{% step %}

### Start the Provisioning setup assistant

1. Retrieve your enterprise. For more information, see [retrieving-and-viewing-your-enterprise](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/managing-enterprise/retrieving-and-viewing-your-enterprise "mention").
2. Go to **Administration** > **SSO & Provisioning**.

<figure><img src="broken-reference" alt="Select the Configure provisioning button"><figcaption></figcaption></figure>

3. In the top right corner, select **Edit configuration**. The **Configure Your Connection** page opens.

<figure><img src="broken-reference" alt="Select Provisioning to set up SCIM provisioning."><figcaption></figcaption></figure>

{% hint style="danger" %}

* Before setting up SCIM provisioning, you must resolve any warnings notified on this page for Single Sign-On! If it’s the case, select **Single Sign-On** and follow the instructions of the setup assistant. For more information, see [troubleshooting](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/troubleshooting "mention").
* Note that the attribute mapping was changed recently. If your SSO setup was performed before this change, a warning will be displayed. In that case, follow the instructions to update your mapping in SonarQube Cloud. Check also the attribute mapping in your identity provider to make sure it matches the new SonarQube Cloud's mapping. For more information, see [#create-and-set-up-the-sonarqube-cloud-application-in-your-identity-provider](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/saml-sso#create-and-set-up-the-sonarqube-cloud-application-in-your-identity-provider "mention").
  {% endhint %}

5. Select **Provisioning**. The SCIM provisioning setup assistant opens.

<figure><img src="broken-reference" alt="You will copy values from the SCIM provisioning setup assistant to your identity provider&#x27;s application for SonarQube Cloud."><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Set up SCIM provisioning in your identity provider

In this step, you will configure your identity provider’s application for SonarQube Cloud by copying values from SonarQube Cloud’s SCIM provisioning setup assistant. The configuration depends on your identity provider.

<details>

<summary><strong>With Okta</strong></summary>

1. In Okta, open the application used to manage Single Sign-On in SonarQube Cloud.
2. In the **General** tab, in **App Settings**, select **Edit**.
3. In **Provisioning**, select **SCIM** and save. The **Provisioning** tab is added to your application.

<figure><img src="broken-reference" alt="In your Okta application for SonarQube Cloud, enable SCIM provisioning."><figcaption></figcaption></figure>

4. Open the **Provisioning** tab.
5. In **SCIM Connection**, set the parameters as described below:
   * **SCIM connector base URL**: Copy-paste the **Provisioning Endpoint URL** from SonarQube Cloud’s setup assistant.
   * **Unique identifier field for users**: Copy-paste the **User ID** attribute value in **Required attributes** from SonarQube Cloud’s setup assistant.
   * **Supported provisioning actions**: Select the following options:
     * **Import New Users and Profile Updates**
     * **Push New Users**
     * **Push Profile Updates**
   * **Authentication Mode**: `HTTP Header`
6. In SonarQube Cloud’s SCIM provisioning setup assistant, select **Generate Token** in the **Bearer Token** section.
7. Copy the generated token.

<figure><img src="broken-reference" alt="Copy the generated token by selecting the Copy And Close button and paste it where it belongs to.."><figcaption></figcaption></figure>

6. In your identity provider, in the **HTTP Header** section, paste the token into **Bearer**.

<figure><img src="broken-reference" alt="In your Okta application for SonarQube Cloud, set the SCIM connection in the Provisioning tab."><figcaption></figcaption></figure>

8. Select **Test Connector Configuration**. The test starts. Note that only user deprovisioning is currently supported in SonarQube Cloud.

<figure><img src="broken-reference" alt="Test the SCIM connection in your Okta application for SonarQube."><figcaption></figcaption></figure>

9. Close the test configuration window.
10. Select **Save**.
11. In SonarQube Cloud’s SCIM provisioning setup assistant, select **Done**.

</details>

<details>

<summary><strong>With Microsoft Entra ID</strong></summary>

1. In Microsoft Entra ID, go to **Identity** > **Applications** > **Enterprise applications** > **All applications** and select the application created for SonarQube Cloud.
2. On the application’s page, select **Provisioning** in the left-hand side menu.
3. In the top menu bar, select **New configuration**.

<figure><img src="broken-reference" alt="Select the New configuration button in the Provisioning page of the SonarQube Cloud app."><figcaption></figcaption></figure>

4. In **Admin credentials**, set the fields as follows:
   * **Select authentication method**: Select **Bearer authentication**
   * **Secret token**: In SonarQube Cloud’s SCIM provisioning setup assistant, select **Generate Token** in the **Bearer Token** section.

     Copy the generated token and paste it to this field.
   * **Tenant URL**: Copy-paste the **Provisioning Endpoint URL** from SonarQube Cloud’s setup assistant. See **Warning** below.

{% hint style="warning" %}
For the **Tenant URL**, you currently have to follow the additional step defined in [Flags to alter the SCIM behavior](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/application-provisioning-config-problem-scim-compatibility#flags-to-alter-the-scim-behavior) and add `?aadOptscim062020` to the end of the URL value.
{% endhint %}

<figure><img src="broken-reference" alt="Set the Admin credentials parameters."><figcaption></figcaption></figure>

5. Select the **Test connection** button. You should see a success pop-up at the top right corner of the page.

<figure><img src="broken-reference" alt="A success pop-up is dispayed in the top right corner if the connection test was successful."><figcaption></figcaption></figure>

6. Select the **Create** button.
7. In the left-hand side menu, select **Attribute mapping**.

<figure><img src="broken-reference" alt="Select Attribute mapping."><figcaption></figcaption></figure>

8. Select **Provision Microsoft Entra ID Groups**. The **Attribute Mapping** dialog for groups opens.
9. Ensure the feature is enabled and the **Create**, **Update** and **Delete** actions are selected in **Target Object Actions**.

<figure><img src="broken-reference" alt="Enable the feature and select all Target Object Actions."><figcaption></figcaption></figure>

10. Return to the previous page and select **Provision Microsoft Entra ID Users**. The **Attribute Mapping** dialog for users opens.
11. Ensure the feature is enabled and the **Create**, **Update** and **Delete** actions are selected in **Target Object Actions**.

<figure><img src="broken-reference" alt="Make sure Enabled is set to Yes and the Target Objects Actions are all enabled."><figcaption></figcaption></figure>

12. In **Attribute Mappings** , map the `userName` **customappsso Attribute** (target) to the **Microsoft Entra ID Attribute** (source) used as SAML user login attribute in your SAML configuration.\
    For example, if your login attribute is `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` in your SonarQube Server’s SAML configuration and it is mapped to `user.userprincipalname` (default), use `userprincipalname` here. Otherwise, if it is mapped to `user.mail`, then use `mail` instead.

<figure><img src="broken-reference" alt="map the userName customappsso Attribute (target) to the Microsoft Entra ID Attribute (source) used as SAML user login attribute in your SAML configuration."><figcaption></figcaption></figure>

13. Click **Save.** This takes you back to the **Provisioning** page.
14. Ensure that **Provisioning Mode** is **Automatic**.
15. Open the **Settings** section and in the **Scope** subsection, select **Sync only assigned users and groups**.

<figure><img src="broken-reference" alt="In MS Entra ID, select Sync only assigned users and groups"><figcaption></figcaption></figure>

15. Set the **Provisioning Status** to **On** and click **Save**.
16. Go back to the **Overview** page and select the **Start provisioning** button.

<figure><img src="broken-reference" alt="Select the Start provisioning button on the Overview page."><figcaption></figcaption></figure>

17. In SonarQube Cloud’s SCIM provisioning setup assistant, select **Done**.

{% hint style="info" %}
Microsoft Entra ID runs a SCIM synchronization every 40 minutes. Changes in Microsoft Entra ID are not reflected immediately in SonarQube Cloud.
{% endhint %}

</details>

<details>

<summary><strong>With JumpCloud</strong></summary>

1. In JumpCloud, open the application used to manage Single Sign-On in SonarQube Cloud and open the **Identity Management** tab.
2. In **Configuration Settings** > **Service Provider (SP) Configuration** set the fields as described below:
   * **API Type**: `SCIM API`
   * **SCIM Version**: `SCIM 2.0`
   * **Base URL**:
     1. Copy-paste the **Provisioning Endpoint URL** from SonarQube Cloud’s setup assistant.
     2. Remove the trailing slash from the URL. **This step is very important. The SCIM connection will fail if the URL has a trailing slash.**
   * **Token Key**: In SonarQube Cloud’s SCIM provisioning setup assistant, select **Generate Token** in the **Bearer Token** section. Copy the generated token and paste it to this field.
   * **Test User Email**: Enter any email address.

<figure><img src="broken-reference" alt="Select SCIM API and SCIM 2.0, and copy-paste the base URL and token key from SonarQube Cloud"><figcaption></figcaption></figure>

{% hint style="warning" %}
Make sure you remove the trailing slash from the base URL. The figure below shows the trailing slash.
{% endhint %}

<figure><img src="broken-reference" alt="Remove the trailing slash from the base URL copied from SonarQube Cloud"><figcaption></figcaption></figure>

4. Select the **Test Connection** button. If the test was successful, proceed with the setup.
5. Unselect the **Enable management of User Groups and Group Membership in this application** option, and select **Activate**.

<figure><img src="broken-reference" alt="Unselect the Enable management of User Groups and Group Membership in this application option, and select Activate."><figcaption></figcaption></figure>

6. In SonarQube Cloud’s SCIM provisioning setup assistant, select **Done**.

</details>
{% endstep %}

{% step %}

### Enable the SSO connection with SCIM

To enable the connection to your identity provider:

1. In SonarQube Cloud's **SSO & Provisioning**, select **Provisioning (SCIM)** > **Enable Connection**.&#x20;
   {% endstep %}
   {% endstepper %}

## Related pages <a href="#related-pages" id="related-pages"></a>

* [saml-sso](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/setup/saml-sso "mention")
* [map-groups](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/setup/map-groups "mention")
* [complete-setup](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/setup/complete-setup "mention")
* [edit-or-delete-sso-setup](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/edit-or-delete-sso-setup "mention")
* [troubleshooting](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/troubleshooting "mention")