Step 1: Verify the user groups of the enterprise's organizations
On this page
Before configuring Single Sign-On, you must ensure that the automatic group synchronization can take place properly. To do so, verify that:
- The user groups defined in your IdP service exist in the relevant organizations of your SonarQube Cloud enterprise (i.e. a group with the same (context-sensitive) name exists in the relevant organization(s)).
- The user groups in SonarQube Cloud have the correct permissions.
To manage the user groups in SonarQube Cloud, see Managing the user groups in your organization.
In Okta
The automatic group synchronization of a group applies if the group in Okta and the corresponding group in the SonarQube Cloud organization have the same (case-sensitive) name. Note that the default SonarQube Cloud's Members group is excluded from the synchronization.
The figure below shows on the left groups defined in Okta and on the right the corresponding groups defined in SonarQube Cloud in two different organizations (OrgA
and OrgB
). In this example, the SSO users belonging to ENT_ORGA_ADMINS
will be automatically added to the corresponding EN_ORG_ADMINS
group in SonarQube Cloud. it means that they will have access to OrgA
with the permissions defined in SonarQube Cloud.

In Microsoft Entra ID
The automatic group synchronization of a group applies if the group in Microsoft Entra ID and the corresponding group in the SonarQube Cloud organization have the same (case-sensitive) name. Note that the default SonarQube Cloud's Members group is excluded from the synchronization.
The figure below shows on the left groups defined in Microsoft Entra ID and on the right the corresponding groups defined in SonarQube Cloud in two different organizations (Docs-Team
and claudiasonarova 2023
). In this example, the SSO users belonging to Communications
will be automatically added to the corresponding Communications
group in SonarQube Cloud. it means that they will have access to the Docs-Team
organization with the permissions defined in SonarQube Cloud.

- Group synchronization doesn't work with Microsoft Entra ID's nested groups.
- Microsoft Entra ID's SAML tokens have a limit regarding the number of groups a user can belong to (see the description of groups in the Claims in SAML Token table). In such cases, you might need to reduce the number of groups the user is in.
Related pages
Was this page helpful?