# Overview of authentication and provisioning
SonarQube comes with its own user database, as well as the ability to delegate authentication via protocols and providers. Each method offers:
* user identity management
* authentication
* user and group provisioning
* group synchronization (optional)
{% hint style="warning" %}
For security reasons, it is highly recommended that the default built-in administrator group’s name (**sonar-administrators**, see [Managing groups](/sonarqube-community-build/instance-administration/user-management/user-groups.md#group-concept)) be changed. If group synchronization is used, this group may be used to gain unauthorized access.
{% endhint %}
## Supported authentication methods
You can use one of the following authentication methods to allow the same authentication between SonarQube and your authentication system:
* HTTP header
* LDAP
* SAML with:
* Microsoft Entra ID
* Keycloak
* Okta
* GitHub
* Bitbucket Cloud
* GitLab
{% hint style="warning" %}
Using an authentication method that is not supported by SonarQube can lead to a security breach. Sonar declines any responsibility in this regard.
{% endhint %}
## Just-in-Time provisioning
In SonarQube Community Build, you can only provision users with Just-in-Time (JIT). Permissions themselves are still managed in SonarQube. The most effective way to handle permissions is to give permissions to groups (vs. individual users) directly and/or use permission templates, then manage group membership using one of the provisioning methods.
{% hint style="info" %}
Automatic provisioning is supported by other SonarQube deployments. See [Feature comparison table](/sonarqube-community-build/feature-comparison-table.md) for more information.
{% endhint %}
With Just-in-Time provisioning, user accounts are created in SonarQube when users log in for the first time. Groups must be manually created by administrators. However, memberships are automatically updated at each user login.
### Group synchronization
When using group synchronization, the following details apply regardless of which delegated authentication method is used:
* Memberships in a group are synchronized only if a group with the same name exists in SonarQube.
* Memberships in synchronized groups override any membership configured locally in SonarQube. When enabling group synchronization, *manually added* group memberships get reset.
* Memberships in the default built-in *sonar-users* group remain even if the group does not exist in the identity provider.
For specific details about group synchronization, refer to each provider’s group synchronization section.
{% hint style="info" %}
When group synchronization is configured, group memberships can only be managed from the delegated authentication source, and the user’s groups are re-fetched with each login. It is not possible to use both manual group memberships and group synchronization (via your ALM integration) for the same user.
{% endhint %}
To ensure that the group synchronization can take place properly, verify that (see [Managing groups](/sonarqube-community-build/instance-administration/user-management/user-groups.md)):
* The user groups defined in your IdP service exist in your SonarQube Community Build (i.e. a group with the same (context-sensitive) name exists).
* The user groups in SonarQube Community Build have the correct permissions.
## User login format
When creating a new user login, SonarQube systematically adds a random suffix to the login name to manage user misidentification risk. See also [LDAP](/sonarqube-community-build/instance-administration/authentication/ldap.md#user-identification) for more information.
{% hint style="warning" %}
If email addresses are used as login names in your SonarQube, make sure the Identity Provider doesn’t use the same email address with different letter cases, for example, `my.user@myorg.com` and `My.User@myorg.com`. Indeed, SonarQube performs a case-sensitive login name check but a case-insensitive email address check. The email address check’s purpose is to verify that the same SCM account is not associated with several SonarQube accounts (the SCM account association should be unique; see [Associating with SCM account](/sonarqube-community-build/instance-administration/user-management/updating-scm-details.md#about-associated-scm-accounts)). If it’s not the case, SonarQube may reject a login attempt.
{% endhint %}
## Revoking tokens for deactivated users
When SonarQube authentication is delegated to an external identity provider, deactivating a user on the identity provider side does not remove any tokens associated with the user on the SonarQube side. We recommend deactivating the user in SonarQube to ensure tokens associated with that user can no longer be used. See [Deactivating users](/sonarqube-community-build/instance-administration/user-management/deactivating-users.md).
## Related pages
* [Managing permissions](/sonarqube-community-build/instance-administration/user-management/user-permissions.md#permission-templates)
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.sonarsource.com/sonarqube-community-build/instance-administration/authentication/overview.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.