> For the complete documentation index, see [llms.txt](https://docs.sonarsource.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/using-okta-express-configuration.md). # Using Okta Express Configuration *This feature requires the SonarQube Cloud's* [*Enterprise*](https://www.sonarsource.com/plans-and-pricing/) *licence.* {% hint style="warning" %} * Before starting, read [Before setting up SSO and provisioning](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/before-you-start.md). * **If you don't intend to use SCIM provisioning, you must first create manually the user groups in your SonarQube Cloud organizations or verify your existing groups as described in** [Before setting up SSO and provisioning](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/before-you-start.md#managing-groups-in-sonarqube-cloud-if-using-jit-provisioning). {% endhint %} You must be an admin of your SonarQube Cloud enterprise and Okta administrator within your Okta tenant. ## Supported OIDC features With the Okta Express Configuration, you benefit from: * SP-initiated SSO * IdP-initiated SSO (through Okta dashboard) * Just-In-Time provisioning The Universal Logout is not supported by the SonarQube Cloud app in Okta. However, SonarQube Cloud will disconnect your session as follows: * The session closes after 24 hours, if the user is active. * The session closes after 8 hours, if the user is idle. SCIM provisioning is set up through an additional condiguration step using SonarQube Cloud assistant. ## Step 1: Add the SonarQube Cloud integration in Okta 1. In the Okta Admin Console, go to **Applications** > **Applications**. 2. Select **Browse App Catalog**. 3. Search for *SonarQube* and select **SonarQube Cloud**. 4. Select **Add Integration**. 5. On the **General Settings** page, enter a label for the integration, for example, *SonarQube Cloud*. 6. Select **Done**. ## Step 2: Configure SSO and Universal Logout 1. In Okta, go to the **Sign On** tab of your SonarQube Cloud integration and select **Express Configure SSO & UL**.

Select the Express Configuration button.

You are prompted for your Sonar Express Configuration ID.

Enter the organization identifier used for Express Configuration.

2. Enter your **Sonar Express Configuration ID**, in the following format `org-` . You can retrieve the ID from SonarQube Cloud: 1. In SonarQube Cloud, retrieve your enterprise. 2. Go to **Administration** > **SSO & Provisioning**. The **SSO & Provisioning** page opens. 3. Expand the **Single sign-on & Domain configuration** section and select **Okta Express Configuration**. 4. Copy the **Sonar Express Configuration ID** and paste it into the Sonar Express Configuration ID window. Select **Continue.**

Select the Okta Express Configuration button and then the Copy tool in front of the Sonar Express Configuration ID field.

2. SonarQube Cloud authentication page opens with options to login. Make sure you login using the DevOps platform that is linked to your SonarQube Cloud enterprise admin account. 3. Authorize the app as a SonarQube Cloud enterprise administrator. This creates a SSO connection in your SonarQube Cloud enterprise.

5. Review the permissions requested and select **Accept** to authorize the connection. Once authorization is complete, you are redirected back to Okta. The SSO and Universal Logout configuration is applied automatically. See the [#universal-logout](#universal-logout "mention") section for more information. ## Step 3: Add the groups attribute mapping {% hint style="warning" %} Regardless of your chosen provisioning method, you must configure the groups attribute in the OIDC payload. If you use SCIM provisioning, ensuring this value aligns with the data SCIM transmits to SonarQube Cloud is essential. See [Before setting up SSO and provisioning](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/before-you-start.md#group-setup-is-mandatory) for more details. {% endhint %} Proceed as follows: 1. In Okta, go to the **Sign On** tab of your SonarQube Cloud integration. 2. In **Settings** > **Sign on methods**, select the link **Configure profile mapping**.

3. Close the dialog to open the Profile Editor page. 4. Select the **Add Attribute** button. The Add Attribute dialog opens. 5. In the dialog, set the following parameters: * **Data type**: Select **string array** * **Display name**: Enter *Groups* * **Variable name**: Enter *userGroups* * **Enum**: *not selected* * **Attribute required:** Select **Yes** * **Attribute type**: Select **Group** * **Group Priority**: Select **Use Group Priority** 6. Select **Save**. The group's attribute is added. 7. Select the **Mappings** button. The User Profile Mappings dialog opens. 8. Select the tab **Okta User to \**. 9. Enter the following expression: ```javascript user.getGroups({'group.profile.name': '.*'}).![name] ``` {% hint style="warning" %} With this expression, all your groups in Okta will be included (and available during Just-in-Time provisioning login for automatic group synchronization). You can adjust this expression if necessary. {% endhint %} 10. To preview the attribute for your application enter the Okta user name in the preview textbox. The preview shows groups that the user belongs to in Okta.

10. Click **Exit Preview**. 11. Select **Save Mappings** and then **Apply updates**. ## Step 4: Assign users and groups 1. In Okta, go to the **Assignments** tab of your SonarQube Cloud integration. 2. Select **Assign** > **Assign to People** or **Assign to Groups**. 3. Select the users or groups you want to give access to SonarQube Cloud and select **Assign**. 4. Select **Done**. ## Step 5: Verify the setup ### **Verify Okta dashboard SSO** 1. As the assigned test user, sign into the Okta dashboard. 2. Select the SonarQube Cloud app tile. The name of the app is what you have configured for its label in [#add-the-sonarqube-cloud-integration-in-okta](#add-the-sonarqube-cloud-integration-in-okta "mention"). 3. Verify that you are signed in to SonarQube Cloud without being prompted for additional credentials. ### **Verify SSO through SonarQube Cloud's login page** 1. Navigate to your SonarQube Cloud login page. 2. Select the SSO option. 3. Enter the enterprise key. 4. Verify that you are redirected to Okta for authentication and then signed into SonarQube Cloud. ## Next steps To set up SCIM, go to [Set up SCIM](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/set-up-scim.md). To terminate your SSO setup, go to [Invite users to sign in](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/complete-setup.md) . {% hint style="info" %} It's recommended to verify your company's email domain to avoid one-time email verification during SSO login. See [Domain verification](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/verify-domain.md) {% endhint %} ## Related pages * [About SSO and provisioning](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/about.md) * [Before setting up SSO and provisioning](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/before-you-start.md) * [Set up SCIM](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/set-up-scim.md) * [Invite users to sign in](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/complete-setup.md) * [Domain verification](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/verify-domain.md) * [Recovery account for SSO](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/recovery-account.md) * [Troubleshooting SSO and provisioning](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/troubleshooting.md) ## Related online learning * [Initial SonarQube Cloud Enterprise set up](https://www.sonarsource.com/learn/course/sonarqube-cloud/e390f0fe-64f4-4840-b74c-e63598af72f2/initial-sonarqube-cloud-enterprise-set-up) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/using-okta-express-configuration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.