Latest | Instance administration | Authentication and provisioning | SAML | SCIM | SCIM provisioning with Azure AD

On this page

SCIM provisioning with Azure AD

Automatic provisioning through SCIM is available starting in Enterprise Edition

You can enable SCIM to automate user and group provisioning from Azure AD to SonarQube. For an overall understanding of the feature, read the SCIM Overview page.

Prerequisites

You have a working SAML configuration.

Configuring SonarQube

1. Within SonarQube, go to Administration > Authentication > SAML.

2. Under Provisioning, click Automatic user and group provisioning with SCIM

3. Click Save and validate the pop-up window if you are sure you want to enable SCIM.

SCIM is now enabled in SonarQube, it will handle all the queries coming from Azure AD about users and groups.


Step 1: In Azure AD, go to Your SonarQube application > Provisioning.

Step 2:  On the Provisioning page, click Get started.

Step 3:  Under Provisioning Mode, select Automatic.

Step 4: Configure the Admin Credentials section as follows: 

    • Tenant Url: <Your SonarQube URL>/api/scim/v2
    • Secret token: Paste a SonarQube user token for an admin account in this field. For safety reasons, we recommend using a token from a local admin account (not managed through SCIM). 

Click Test Connection to check that your credentials are valid, then click Save.

Step 5.a: Under Mappings, click on Provision Azure Active Directory Groups. This opens the Attribute Mapping dialog for groups.

Step 5.b: Under Target Object Actions, make sure that Create, Update, and Delete are enabled.

Step 5.c:  In Attribute Mappings, make sure displayName appears in both columns of the mapping. This ensures groups are mapped based on their names.

How to set up attribute mappings for groups in Azure AD

Step 5.d: Click Save. This takes you back to the Provisioning page. If this was the default configuration, go back to the previous page.

Step 6.a: Under Mappings, click on Provision Azure Active Directory Users. This opens the Attribute Mapping dialog for users.

Step 6.b:  Under Target Object Actions, make sure that Create, Update, and Delete are enabled.

Step 6.c: In Attribute Mappings, map the userName customappsso Attribute (target) to the Azure Active Directory Attribute (source) used as SAML user login attribute in your SAML configuration. If you use the email address in your SAML configuration, use mail here.

How to set up attribute mapping for users in Azure AD

Step 6.d:  Click Save. This takes you back to the Provisioning page.

Step 7:  In the Settings > Scope section, select Sync only assigned users and groups.

Step 8: Set the provisioning status to On and click Save. The Azure AD users and groups will be synchronized with SonarQube.

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License