SCIM provisioning with Azure AD
Automatic provisioning through SCIM is available starting in Enterprise Edition.
You can enable SCIM to automate user and group provisioning from Azure AD to SonarQube. For an overall understanding of the feature, read the SCIM Overview page.
You have a working SAML configuration.
1. Within SonarQube, go to Administration > Authentication > SAML.
2. Under Provisioning, click Automatic user and group provisioning with SCIM.
3. Click Save and validate the pop-up window if you are sure you want to enable SCIM.
SCIM is now enabled in SonarQube, it will handle all the queries coming from Azure AD about users and groups.
Step 1: In Azure AD, go to Your SonarQube application > Provisioning.
Step 2: On the Provisioning page, click Get started.
Step 3: Under Provisioning Mode, select Automatic.
Step 4: Configure the Admin Credentials section as follows:
- Tenant Url:
<Your SonarQube URL>/api/scim/v2
- Secret token: Paste a SonarQube user token for an admin account in this field. For safety reasons, we recommend using a token from a local admin account (not managed through SCIM).
Click Test Connection to check that your credentials are valid, then click Save.
Step 5.a: Under Mappings, click on Provision Azure Active Directory Groups. This opens the Attribute Mapping dialog for groups.
Step 5.b: Under Target Object Actions, make sure that Create, Update, and Delete are enabled.
Step 5.c: In Attribute Mappings, make sure
displayName appears in both columns of the mapping. This ensures groups are mapped based on their names.
Step 5.d: Click Save. This takes you back to the Provisioning page. If this was the default configuration, go back to the previous page.
Step 6.a: Under Mappings, click on Provision Azure Active Directory Users. This opens the Attribute Mapping dialog for users.
Step 6.b: Under Target Object Actions, make sure that Create, Update, and Delete are enabled.
Step 6.c: In Attribute Mappings, map the
userName customappsso Attribute (target) to the Azure Active Directory Attribute (source) used as SAML user login attribute in your SAML configuration. If you use the email address in your SAML configuration, use
This attribute mapping must match your SAML configuration to prevent the creation of duplicate accounts. To check which Azure AD attribute is used as SAML user login attribute, in SonarQube, go to Administration > Authentication > SAML user login attribute.
Step 6.d: Click Save. This takes you back to the Provisioning page.
Step 7: In the Settings > Scope section, select Sync only assigned users and groups.
Step 8: Set the provisioning status to On and click Save. The Azure AD users and groups will be synchronized with SonarQube.
Azure AD runs a SCIM synchronization every 40 minutes. Changes in Azure AD are not reflected immediately in SonarQube.