circle-exclamation
We've updated our static IP addresses. GitHub Enterprise users should update their allowlists.
chevron-right
search
Start FreeLogin

Setting up SCIM provisioning

If Single Sign-On (SSO) is used in your SonarQube Cloud enterprise for user authentication, you can set up SCIM to automate provisioning. SCIM provisioning is supported with any identity provider.

SCIM provisioning is a beta feature, subject to the terms herearrow-up-right.

Currently, only user deprovisioning is supported. For more information about the provisioning feature, see About SCIM provisioningarrow-up-right.

To set up SCIM deprovisioning in your enterprise, you must be the administrator of the enterprise in SonarQube Cloud. Follow the steps below.

1

hashtag
Start the SCIM provisioning setup assistant

  1. Retrieve your enterprise. For more information, see Retrieving and viewing your enterprise.

  2. Go to Administration > SSO & Provisioning.

Select the Edit configuration button in the top right corner to change your SSO or provisioning configuration

  1. In the top right corner, select the Edit Configuration button. If this button is not available, you must first set up SSO in your enterprise: see Setting up SSO. The Configure Your Connection page opens.

Select Provisioning to set up SCIM provisioning.
triangle-exclamation

  • Before setting up SCIM provisioning, you must resolve any warnings notified on this page for Single Sign-On! If it’s the case, select Single Sign-On and follow the instructions of the setup assistant. For more information, see Troubleshooting SSO connection.

  • Note that the attribute mapping was changed recently. If your SSO setup was performed before this change, a warning will be displayed. In that case, follow the instructions to update your mapping in SonarQube Cloud. Check also the attribute mapping in your identity provider to make sure it matches the new SonarQube Cloud's mapping. For more information, see Create and set up the SonarQube Cloud application in your identity provider.

  1. Select Provisioning. The SCIM provisioning setup assistant opens.

You will copy values from the SCIM provisioning setup assistant to your identity provider's application for SonarQube Cloud.
2

hashtag
Set up SCIM provisioning in your identity provider

In this step, you will configure your identity provider’s application for SonarQube Cloud by copying values from SonarQube Cloud’s SCIM provisioning setup assistant. The configuration depends on your identity provider.

chevron-rightWith Oktahashtag

  1. In Okta, open the application used to manage Single Sign-On in SonarQube Cloud.

  2. In the General tab, in App Settings, select Edit.

  3. In Provisioning, select SCIM and save. The Provisioning tab is added to your application.

In your Okta application for SonarQube Cloud, enable SCIM provisioning.

  1. Open the Provisioning tab.

  2. In SCIM Connection, set the parameters as explained in the table below.

Field or section
Value

SCIM connector base URL

Copy-paste the Provisioning Endpoint URL from SonarQube Cloud’s setup assistant.

Unique identifier field for users

Copy-paste the User ID attribute value in Required attributes from SonarQube Cloud’s setup assistant.

Supported provisioning actions

Select the following options:

  • Import New Users and Profile Updates

  • Push New Users

  • Push Profile Updates

Authentication Mode

HTTP Header

  1. In SonarQube Cloud’s SCIM provisioning setup assistant, select Generate Token in the Bearer Token section.

  2. Copy the generated token.

Copy the generated token by selecting the Copy And Close button and paste it where it belongs to..

  1. In your identity provider, in the HTTP Header section, paste the token into Bearer.

In your Okta application for SonarQube Cloud, set the SCIM connection in the Provisioning tab.

  1. Select Test Connector Configuration. The test starts. Note that only user deprovisioning is currently supported in SonarQube Cloud.

Test the SCIM connection in your Okta application for SonarQube.

  1. Close the test configuration window.

  2. Select Save.

  3. In SonarQube Cloud’s SCIM provisioning setup assistant, select Done.

chevron-rightWith Microsoft Entra IDhashtag

  1. In Microsoft Entra ID, go to Identity > Applications > Enterprise applications > All applications and select the application created for SonarQube Cloud.

  2. On the application’s page, select Provisioning in the left-hand side menu.

  3. In the top menu bar, select New configuration.

Select the New configuration button in the Provisioning page of the SonarQube Cloud app.

  1. In Admin credentials, set the fields as described in the table below.

Field
Description

Select authentication method

Select Bearer authentication

Tenant URL

Copy-paste the Provisioning Endpoint URL from SonarQube Cloud’s setup assistant. Warning: Currently, you have to follow the additional step defined in Flags to alter the SCIM behaviorarrow-up-right and add ?aadOptscim062020 to the end of the URL value.

Secret token

In SonarQube Cloud’s SCIM provisioning setup assistant, select Generate Token in the Bearer Token section.

Copy the generated token and paste it to this field.

Set the Admin credentials parameters.

  1. Select the Test connection button. You should see a success pop-up at the top right corner of the page.

A success pop-up is dispayed in the top right corner if the connection test was successful.

  1. Select the Create button.

  2. In the left-hand side menu, select Attribute mapping.

Select Attribute mapping.

  1. Select Provision Microsoft Entra ID Groups. The Attribute Mapping dialog for groups opens.

  2. In the dialog, disable the feature and save.

Set Enabled to No and save.

  1. Return to the previous page and select Provision Microsoft Entra ID Users. The Attribute Mapping dialog for users opens.

  2. Ensure the feature is enabled and the Create, Update and Delete actions are selected in Target Object Actions.

Make sure Enabled is set to Yes and the Target Objects Actions are all enabled.

  1. In Attribute Mappings , map the userName customappsso Attribute (target) to the Microsoft Entra ID Attribute (source) used as SAML user login attribute in your SAML configuration. For example, if your login attribute is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress in your SonarQube Server’s SAML configuration and it is mapped to user.userprincipalname (default), use userprincipalname here. Otherwise, if it is mapped to user.mail, then use mail instead.

map the userName customappsso Attribute (target) to the Microsoft Entra ID Attribute (source) used as SAML user login attribute in your SAML configuration.

  1. Click Save. This takes you back to the Provisioning page.

  2. Ensure that Provisioning Mode is Automatic.

  3. Open the Settings section and in the Scope subsection, select Sync only assigned users and groups.

In MS Entra ID, select Sync only assigned users and groups

  1. Set the Provisioning Status to On and click Save.

  2. Go back to the Overview page and select the Start provisioning button.

Select the Start provisioning button on the Overview page.

  1. In SonarQube Cloud’s SCIM provisioning setup assistant, select Done.

circle-info

Microsoft Entra ID runs a SCIM synchronization every 40 minutes. Changes in Microsoft Entra ID are not reflected immediately in SonarQube Cloud.

chevron-rightWith JumpCloudhashtag

  1. In JumpCloud, open the application used to manage Single Sign-On in SonarQube Cloud and open the Identity Management tab.

  2. In Configuration Settings > Service Provider (SP) Configuration set the fields as explained in the table below.

Field
Description

API Type

Select SCIM API.

SCIM Version

Select SCIM 2.0.

Base URL

  1. Copy-paste the Provisioning Endpoint URL from SonarQube Cloud’s setup assistant.

  2. Remove the trailing slash from the URL. This step is very important. The SCIM connection will fail if the URL has a trailing slash.

Token Key

In SonarQube Cloud’s SCIM provisioning setup assistant, select Generate Token in the Bearer Token section. Copy the generated token and paste it to this field.

Test User Email

Enter any email address.

Select SCIM API and SCIM 2.0, and copy-paste the base URL and token key from SonarQube Cloud
circle-exclamation

Make sure you remove the trailing slash from the base URL. The figure below shows the trailing slash.

Remove the trailing slash from the base URL copied from SonarQube Cloud

  1. Select the Test Connection button. If the test was successful, proceed with the setup.

  2. Unselect the Enable management of User Groups and Group Membership in this application option, and select Activate.

Unselect the Enable management of User Groups and Group Membership in this application option, and select Activate.

  1. In SonarQube Cloud’s SCIM provisioning setup assistant, select Done.

3

hashtag
Enable the SSO connection with SCIM

Once you have enabled the connection to your identity provider, you users will be able to authenticate to SonarQube Cloud through SSO and SCIM provisioning will apply.

To enable the connection to your identity provider:

  1. In SonarQube Cloud's Configure Your Connection page, select Enable connection. A confirmation dialog opens.

Once your SCIM provisioning setup is complete, you can enable the connection.

  1. Select Proceed.

hashtag
Related pages

PreviousAbout SCIM provisioningNextEditing or disabling SCIM provisioning

Last updated

Was this helpful?