Start FreeLogin

SSO authentication

With the Enterprise plan, you can transition your SonarCloud users to Single Sign On (SSO) with any SAML identity provider (IdP).

The SonarQube Cloud Enterprise plan supports a transition from the DevOps platform authentication mode to Single Sign On (SSO) with any identity provider (IdP) that supports SAML. SonarQube Cloud uses the Service Provider (SP) initiated SSO. See the Introduction to Enterprise plans for more information about these and other supported features.

With SSO you benefit from:

  • Increased security and a single source of truth for user authentication.

  • Automatic group synchronization.

  • Just-in-Time user provisioning; when a users sign up with SonarQube Cloud with SSO for the first time, their SSO user account is automatically created in SonarQube Cloud.

SSO is set up for a given enterprise, see Setting up your enterprise for more details. At SSO login time, users select the enterprise they want to access.

SAML SSO authentication flow

Users log directly into SonarQube Cloud with their SAML SSO credentials which are transmitted to an Auth0 server for authentication. Auth0 functions as the SAML service provider, bridging SonarQube Cloud and the identity provider.

The authentication flow is as follows:

  1. The user enters their login for SAML SSO via SonarQube Cloud.

  2. SonarQube Cloud redirects the authentication request to Auth0.

  3. Auth0 forwards the SAML request to the SAML identity provider.

  4. The SAML identity provider authenticates the user and generates a signed token containing the user’s information and privileges (SAML assertion). It sends the SAML assertion to Auth0. Optionally, the identity provider can encrypt this assertion with SonarQube Server’s certificate. Note that in that case, the SAML response, which contains the encrypted assertion, must be signed.

  5. Auth0 sends the token to SonarQube Cloud.

  6. SonarQube Cloud receives the token, verifies its signature and performs extra-authentication checks. If successful, the user is authenticated in SonarQube Cloud.

Users access SonarQube Cloud using their SAML SSO credentials, which are sent to an Auth0 server for authentication. Auth0 functions as the SAML service provider, bridging SonarQube and the identity provider.

Auth0 may connect to the identity provider from one of the IP addresses listed here.

User login format

When creating a new user login, SonarQube Cloud systematically adds a random suffix to the login name to manage user misidentification risk.

When setting up API-based automations related to users, don’t use the login field to retrieve a user. Use the email field instead.

Limitations

In an SSO-enabled enterprise:

  • SSO users cannot be added to organizations outside of their enterprise.

  • The GitHub member synchronization is disabled on any organization of the enterprise.

  • Currently, an SSO user cannot bind a SonarQube Cloud organization to its corresponding Bitbucket Cloud workspace. They must use their DevOps platform (DOP) account to perform the binding.

Related pages

PreviousDevOps platform authenticationNextGitHub member synchronization

Last updated

Was this helpful?