Configuring SAML SSO with Microsoft Entra ID
To set up SAML SSO with Microsoft Entra ID, first open the SSO setup assistant as described below:
- In SonarQube Cloud, retrieve your enterprise.
- Select Administration > Single Sign-On. The Single Sign-On page opens.
- Select Open Configuration and then Get started. The setup assistant opens.
- Select Custom SAML.
- Follow the steps described below.
- Group synchronization doesn't work with Microsoft Entra ID's nested groups.
- Microsoft Entra ID's SAML tokens have a limit regarding the number of groups a user can belong to (see the description of groups in the Claims in SAML Token table). In such cases, you might need to reduce the number of groups the user is in.
Step 1: Create the SonarQube Cloud application in Microsoft Entra ID

1. In Microsoft Entra ID, go to Applications > Enterprise applications > All applications.
2. Select New application and then Create your own application.
Make sure you choose Create your own application. Do not select the non-affiliated Sonarqube Microsoft Entra Gallery app, which contains configurations that may prevent proper integration.
3. Fill in the name and select the Integrate any other application you don't find in the gallery option.
4. Select Create.
5. From the Manage section of the SonarQube Cloud application, go to Single sign-on > SAML.
6. In the Basic SAML Configuration section, select Edit, fill in the Identifier and the Reply URL fields as described below, and save.
Identifier and Reply URL fields
Field | Description |
---|---|
Identifier | Copy-paste the Service Provider Identity ID field value from the setup assistant. |
Reply URL | Copy-paste the Single Sign-On URL field value from the setup assistant. |
5. In the setup assistant, select Next to go to the step 2. Configure Connection.
Step 2: Configure the connection

- In your SonarQube Cloud application in Microsoft Entra ID, go to SAML Certificates. Copy the value of the App Federation Metadata Url field and paste it into the Metadata URL field in the Automatic tab of the setup assistant page.
- In the assistant, select Create Connection and Proceed. SonarQube Cloud is trying to connect to your Identity Provider. If the connection is established, the assistant moves to step 3. Attribute Mapping.
Step 3: Set up the attributes
1. In the Attributes & Claims section of your SonarQube Cloud application in Microsoft Entra ID, configure the attributes used by SonarQube Cloud as described below. To add an attribute, select Add new claim.
Attributes
Attribute name | Source attribute | Description | |
---|---|---|---|
Mapping for name | Copy-paste from the assistant. | givenname or your own user name attribute | The full name of the user. The default list of attributes includes |
Mapping for login | Copy-paste from the assistant. | userprincipalname | A unique name to identify the user in SonarQube Cloud. |
Mapping for email | Copy-paste from the assistant. | mail | The email of the user. |
2. Select Add a group claim, and configure the group attribute as described below. Once done, the option to add a group will be unavailable and the group attribute will be listed with the other attributes in the Add new claim tab.
Group attribute
The group attribute is used for automatic group synchronization.
Parameter or option | Value |
---|---|
Group Claims | Groups assigned to the application |
Source attribute | Cloud-only group display names or (if using on-prem Active Directory for group synchronisation) sAMAccountName |
Emit group name for cloud-only groups |
|
Advanced options > Customize the name of the group claim > Name | groups (copy-paste from the setup assistant) |

3. In the assistant, select Next to go to the step 4. Test SSO.
Step 4: Test SSO
Select the Test Connection button. The test is started and the results are displayed on the page as illustrated below.

If the test was successful, select Done.
Related pages
Was this page helpful?