Start FreeLogin

Step 1: Verify the user groups

Before configuring SSO for your SonarQube Cloud enterprise, you must ensure that the automatic group synchronization can take place properly.

Before configuring SSO authentication, you must ensure that the Automatic group synchronization can take place properly. To do so, verify that:

  • The user groups defined in your IdP service exist in the relevant organizations of your SonarQube Cloud enterprise (i.e. a group with the same (context-sensitive) name exists in the relevant organization(s)).

  • The user groups in SonarQube Cloud have the correct permissions.

To manage the user groups in SonarQube Cloud, see Managing user groups.

In Okta

The automatic group synchronization of a group applies if the group in Okta and the corresponding group in the SonarQube Cloud organization have the same (case-sensitive) name. Note that the default SonarQube Cloud’s Members group is excluded from the synchronization.

The figure below shows on the left groups defined in Okta and on the right the corresponding groups defined in SonarQube Cloud in two different organizations (OrgA and OrgB). In this example, the SSO users belonging to ENT_ORGA_ADMINS will be automatically added to the corresponding EN_ORG_ADMINS group in SonarQube Cloud. it means that they will have access to OrgA with the permissions defined in SonarQube Cloud.

Okta groups (shown on left as your SSO application) map to SonarQube Cloud groups (shown on right as OrgA and OrgB) in different organizations.

In Microsoft Entra ID

The automatic group synchronization of a group applies if the group in Microsoft Entra ID and the corresponding group in the SonarQube Cloud organization have the same (case-sensitive) name. Note that the default SonarQube Cloud’s Members group is excluded from the synchronization.

The figure below shows on the left groups defined in Microsoft Entra ID and on the right the corresponding groups defined in SonarQube Cloud in two different organizations (Docs-Team and claudiasonarova 2023). In this example, the SSO users belonging to Communications will be automatically added to the corresponding Communications group in SonarQube Cloud. it means that they will have access to the Docs-Team organization with the permissions defined in SonarQube Cloud.

Microsoft Entra ID groups (shown on left as your SSO application) map to SonarQube Cloud groups (shown on right as OrgA and OrgB) in different organizations.

  • Group synchronization doesn’t work with Microsoft Entra ID’s nested groups.

  • Microsoft Entra ID’s SAML tokens have a limit regarding the number of groups a user can belong to (see the description of groups in the Claims in SAML Token table). In such cases, you might need to reduce the number of groups the user is in.

Related pages

PreviousIntroductionNextStep 2: Configure SSO

Last updated

Was this helpful?