Setting up SCIM provisioning with Microsoft Entra ID
Automatic provisioning through SCIM is available starting in Enterprise Edition.
You can enable SCIM to automate user and group provisioning from Microsoft Entra ID (previously known as Azure AD) to SonarQube. For an overall understanding of the feature, read the SCIM Overview page.
Prerequisites
You have a working SAML configuration.
Configuring SonarQube
1. Within SonarQube, go to Administration > Authentication > SAML.
2. Under Provisioning, click Automatic user and group provisioning with SCIM.
3. Click Save and validate the pop-up window if you are sure you want to enable SCIM.
SCIM is now enabled in SonarQube, it will handle all the queries coming from Microsoft Entra ID about users and groups.
Configuring Microsoft Entra ID
Step 1: In Microsoft Entra ID, go to Identity > Applications > Enterprise applications > All applications and select the SonarQube application. On the application's page, select Provisioning.
Step 2: On the Provisioning page, click Get started.
Step 3: Under Provisioning Mode, select Automatic.
Step 4: Configure the Admin Credentials section as follows:
- Tenant Url:
<sqServerBaseUrl>/api/scim/v2 - Secret token: Paste a SonarQube user token for an admin account in this field. For safety reasons, we recommend using a token from a local admin account (not managed through SCIM).
Click Test Connection to check that your credentials are valid, then click Save.
Step 5.a: Under Mappings, click on Provision Microsoft Entra ID Groups. This opens the Attribute Mapping dialog for groups.
Step 5.b: Under Target Object Actions, make sure that Create, Update, and Delete are enabled.
Step 5.c: In Attribute Mappings, make sure displayName appears in both columns of the mapping. This ensures groups are mapped based on their names.
Step 5.d: Click Save. This takes you back to the Provisioning page. If this was the default configuration, go back to the previous page.
Step 6.a: Under Mappings, click on Provision Microsoft Entra ID Users. This opens the Attribute Mapping dialog for users.
Step 6.b: Under Target Object Actions, make sure that Create, Update, and Delete are enabled.
Step 6.c: In Attribute Mappings , map the userName customappsso Attribute (target) to the Microsoft Entra ID Attribute (source) used as SAML user login attribute in your SAML configuration.
For example, if your login attribute is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress in your SonarQube’s SAML configuration and it is mapped to user.userprincipalname (default), use userprincipalname here. Otherwise, if it is mapped to user.mail, then use mail instead.
To check which Microsoft Entra ID attribute is used as SAML user login attribute:
- In SonarQube, go to Administration > Authentication > SAML.
- In SAML Configuration > SAML, select Edit. The MS Entra ID attribute is the value of SAML user login attribute.
Step 6.d: Click Save. This takes you back to the Provisioning page.
Step 7: In the Settings > Scope section, select Sync only assigned users and groups.
Step 8: Set the provisioning status to On and click Save. The Microsoft Entra ID users and groups will be synchronized with SonarQube.
Microsoft Entra ID runs a SCIM synchronization every 40 minutes. Changes in Microsoft Entra ID are not reflected immediately in SonarQube.
Was this page helpful?
© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.
