Start Free
SonarQube Community Build | Instance administration | Authentication and provisioning | Overview

Authentication and provisioning overview

On this page

SonarQube comes with its own user database, as well as the ability to delegate authentication via protocols and providers. Each method offers:

  • user identity management
  • authentication
  • user and group provisioning 
  • group synchronization (optional)

Supported authentication methods

You can use one of the following authentication methods to allow the same authentication between SonarQube and your authentication system:

  • HTTP header
  • LDAP
  • SAML with:
    • Microsoft Entra ID
    • Keycloak
    • Okta
  • GitHub 
  • Bitbucket Cloud 
  • GitLab 

Just-in-Time provisioning

In SonarQube Community Build, you can only provision users with Just-in-Time (JIT). Permissions themselves are still managed in SonarQube. The most effective way to handle permissions is to give permissions to groups (vs. individual users) directly and/or use permission templates, then manage group membership using one of the provisioning methods.

With Just-in-Time provisioning, user accounts are created in SonarQube when users log in for the first time. Groups must be manually created by administrators. However, memberships are automatically updated at each user login.

Group synchronization

When using group synchronization, the following details apply regardless of which delegated authentication method is used:

  • Memberships in a group are synchronized only if a group with the same name exists in SonarQube.  
  • Memberships in synchronized groups override any membership configured locally in SonarQube. When enabling group synchronization, manually added group memberships get reset.
  • Memberships in the default built-in sonar-users group remain even if the group does not exist in the identity provider.

For specific details about group synchronization, refer to each provider's group synchronization section. 

To ensure that the group synchronization can take place properly, verify that (see Managing groups):

  • The user groups defined in your IdP service exist in your SonarQube Community Build (i.e. a group with the same (context-sensitive) name exists).
  • The user groups in SonarQube Community Build have the correct permissions. 

User login format

When creating a new user login, SonarQube systematically adds a random suffix to the login name to manage user misidentification risk. See also About user and identity provider IDs in LDAP for more information.

Revoking tokens for deactivated users

When SonarQube authentication is delegated to an external identity provider, deactivating a user on the identity provider side does not remove any tokens associated with the user on the SonarQube side. We recommend deactivating the user in SonarQube to ensure tokens associated with that user can no longer be used. See Deactivating user accounts.


Was this page helpful?

© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License