# Using Okta Express Configuration

This feature is available in the [Enterprise](https://www.sonarsource.com/plans-and-pricing/) plan.

## Requirements

You must be an admin of your SonarQube Cloud enterprise and Okta administrator within your Okta tenant.

## OpenID Connect (OIDC) supported features

* SP-initiated SSO (Single Sign-On)
* IdP-initiated SSO (through Okta dashboard)
* Just-In-Time provisioning

## Configuration

{% stepper %}
{% step %}

### Add the SonarQube Cloud integration in Okta

1. In the Okta Admin Console, go to **Applications** > **Applications**.
2. Select **Browse App Catalog**. 
3. Search for *SonarQube* and select **SonarQube Cloud**. 
4. Select **Add Integration**. 
5. On the **General Settings** page, enter a label for the integration, for example, *SonarQube Cloud*.
6. Select **Done**.
   {% endstep %}

{% step %}

### Configure SSO and Universal Logout 

1. In Okta, go to the **Sign On** tab of your SonarQube Cloud integration and select **Express Configure SSO & UL**.

<figure><img src="/spaces/KXW79zfYFiA8incTvwZK/files/KXHaUZSoehr8aZtwRahN" alt="Select the Express Configuration button."><figcaption></figcaption></figure>

You are prompted for your Sonar Express Configuration ID.

<div align="left"><figure><img src="/spaces/KXW79zfYFiA8incTvwZK/files/zU9IE4yg6Pvff9kPIrD2" alt="Enter the organization identifier used for Express Configuration." width="375"><figcaption></figcaption></figure></div>

2. Enter your **Sonar Express Configuration ID**, in the following format `org-<enterprise-uuid>` . You can retrieve the ID from SonarQube Cloud:
   1. In SonarQube Cloud, retrieve your enterprise.
   2. Go to **Administration** > **SSO & Provisioning**. The **SSO & Provisioning** page opens.
   3. Expand the **Single sign-on** section and select **Okta Express Configuration**.&#x20;
   4. Copy the **Sonar Express Configuration ID** and paste it into the Sonar Express Configuration ID window. Select **Continue.**

<figure><img src="/spaces/KXW79zfYFiA8incTvwZK/files/2CtNHaWSUxCVOKUiS1aK" alt="Select the Okta Express Configuration button and then the Copy tool in front of the Sonar Express Configuration ID field."><figcaption></figcaption></figure>

2. SonarQube Cloud authentication page opens with options to login. Make sure you login using the DevOps platform that is linked to your SonarQube Cloud enterprise admin account.
3. Authorize the app as a SonarQube Cloud enterprise administrator. This creates a SSO connection in your SonarQube Cloud enterprise.

<div align="left"><figure><img src="/spaces/KXW79zfYFiA8incTvwZK/files/PGOWsBg4z1BJ1SilzjqB" alt="Select the Accept button." width="375"><figcaption></figcaption></figure></div>

5. Review the permissions requested and select **Accept** to authorize the connection. Once authorization is complete, you are redirected back to Okta. The SSO and Universal Logout configuration is applied automatically. See the [#universal-logout](#universal-logout "mention") section for more information.
   {% endstep %}

{% step %}

### Add the groups attribute mapping

1. In Okta, go to the **Sign On** tab of your SonarQube Cloud integration.
2. In **Settings** > **Sign on methods**, select the link **Configure profile mapping**.

<figure><img src="/spaces/KXW79zfYFiA8incTvwZK/files/8fjLEUdyvMZa4mYsejVE" alt="Select the Configure profile mapping link."><figcaption></figcaption></figure>

3. Close the dialog to open the Profile Editor page.
4. Select the **Add Attribute** button. The Add Attribute dialog opens.
5. In the dialog, set the following parameters:
   * **Data type**: Select **string array**
   * **Display name**: Enter *Groups*
   * **Variable name**: Enter *userGroups*
   * **Enum**: *not selected*
   * **Attribute required:** Select **Yes**
   * **Attribute type**: Select **Group**
   * **Group Priority**: Select **Use Group Priority**
6. Select **Save**. The group's attribute is added.
7. Select the **Mappings** button. The User Profile Mappings dialog opens.
8. Select the tab **Okta User to \<SonarQube Cloud integration>**.
9. Enter the following expression:

```javascript
user.getGroups({'group.profile.name': '.*'}).![name]
```

10. To preview the attribute for your application enter the Okta user name in the preview textbox. The preview shows groups that the user belongs to in Okta.

<figure><img src="/spaces/KXW79zfYFiA8incTvwZK/files/oLbIXcYV6da37toITCMk" alt="Enter a user to the preview."><figcaption></figcaption></figure>

10. Click **Exit Preview**.
11. Select **Save Mappings** and then **Apply updates**.
    {% endstep %}

{% step %}

### Assign users and groups &#xD;

1. In Okta, go to the **Assignments** tab of your SonarQube Cloud integration.
2. Select **Assign** > **Assign to People** or **Assign to Groups**.
3. Select the users or groups you want to give access to SonarQube Cloud and select **Assign**.&#x20;
4. Select **Done**.
   {% endstep %}

{% step %}

### Verify the setup

#### Verify SSO&#x20;

1. As the assigned test user, sign into the Okta dashboard.&#x20;
2. Select the SonarQube Cloud app tile. The name of the app is what you have configured for its label in [#add-the-sonarqube-cloud-integration-in-okta](#add-the-sonarqube-cloud-integration-in-okta "mention").
3. Verify that you are signed in to SonarQube Cloud without being prompted for additional credentials.&#x20;

#### Verify SP-initiated SSO&#x20;

1. Navigate to your SonarQube Cloud login page.&#x20;
2. Select the SSO option.&#x20;
3. Enter the enterprise key.
4. Verify that you are redirected to Okta for authentication and then signed into SonarQube Cloud.&#x20;
   {% endstep %}

{% step %}

### Set up SCIM provisioning (optional)&#xD;

You have to set up SCIM provisioning from the SonarQube Cloud assistant. See [Set up SCIM](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/set-up-scim.md) for details.
{% endstep %}

{% step %}

### Complete your setup

See [Complete SSO setup](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/complete-setup.md) for more information.
{% endstep %}
{% endstepper %}

## Universal Logout

The Universal Logout is not supported by the SonarQube Cloud app in Okta. However, SonarQube Cloud will disconnect your session as follows:&#x20;

* The session closes after 90 days, if the user is active.
* The session closes after 24 hours, if the user is idle.

## Related pages

* [About SSO and provisioning](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/about.md)
* [Set up SSO](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/set-up-sso.md)
* [Set up SCIM](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/set-up-scim.md)
* [Troubleshooting SSO and provisioning](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/troubleshooting.md)

## Related online learning

* <i class="fa-desktop">:desktop:</i> [Initial SonarQube Cloud Enterprise set up](https://www.sonarsource.com/learn/course/sonarqube-cloud/e390f0fe-64f4-4840-b74c-e63598af72f2/initial-sonarqube-cloud-enterprise-set-up)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning/using-okta-express-configuration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.