SAML SSO user accounts
With the Enterprise plan, you can transition from the DevOps platform authentication mode to Single Sign On (SSO) with any identity provider (IdP) that supports SAML. SonarQube Cloud uses the Service Provider (SP) initiated SAML.
With SSO you benefit from:
- Increased security and a single source of truth for user authentication.
- Automatic group synchronization.
SAML SSO is set up for a given enterprise (see Setting up your enterprise). At SSO login time, users select the enterprise they want to access.
Just-In-Time provisioning
When a user signs up with SonarQube Cloud with SSO for the first time, their SAML SSO user account is automatically created in SonarQube Cloud.
User login format
When creating a new user login, SonarQube Cloud systematically adds a random suffix to the login name to manage user misidentification risk.
When setting up API-based automations related to users, don't use the login
field to retrieve a user. Use the email
field instead.
Automatic group synchronization
Groups are used in SonarQube Cloud to manage the user permissions.
With the automatic group synchronization:
- A SAML SSO user in SonarQube Cloud is automatically added to an organization's group within the enterprise if the user is a member of a group with the same name in the IdP. (The check is case-sensitive and excludes the organization’s default Members group.)
- The SAML SSO users added to a SonarQube Cloud user group become members of the respective organization.
If a group with the same name is assigned to several organizations, the SAML SSO account is added to all these groups and thus, is a member of all these organizations.
If a SAML SSO user cannot be added to any group in SonarQube Cloud, they will land on an empty organization page.
Limitations
In a SAML-SSO-enabled enterprise:
- For data protection reasons, SAML SSO users cannot be added to organizations outside of their enterprise.
- The GitHub member synchronization is disabled on any organization of the enterprise.
- Currently, a SAML SSO user cannot bind a SonarQube Cloud organization to its corresponding DevOps platform (DOP) organization. (They must use their DOP account to perform the binding.)
Related pages
Was this page helpful?