SAML SSO authentication
On this page
With the Enterprise plan, you can transition from the DevOps platform authentication mode to Single Sign On (SSO) with any identity provider (IdP) that supports SAML. SonarQube Cloud uses the Service Provider (SP) initiated SAML.
With SSO you benefit from:
- Increased security and a single source of truth for user authentication.
- Automatic group synchronization.
- Just-in-Time user provisioning.
When a user signs up with SonarQube Cloud with SSO for the first time, their SAML SSO user account is automatically created in SonarQube Cloud.
SAML SSO is set up for a given enterprise (see Setting up your enterprise). At SSO login time, users select the enterprise they want to access.
User login format
When creating a new user login, SonarQube Cloud systematically adds a random suffix to the login name to manage user misidentification risk.
When setting up API-based automations related to users, don't use the login field to retrieve a user. Use the email field instead.
Limitations
In a SAML-SSO-enabled enterprise:
- SAML SSO users cannot be added to organizations outside of their enterprise.
- The GitHub member synchronization is disabled on any organization of the enterprise.
- Currently, a SAML SSO user cannot bind a SonarQube Cloud organization to its corresponding Bitbucket Cloud workspace. They must use their DevOps platform (DOP) account to perform the binding.
Related pages
Was this page helpful?
© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.
