TLDR overview
- SonarQube Cloud Enterprise now supports SCIM, enabling automated user and group provisioning through identity providers.
- What it solves: Eliminates manual user management, closes security gaps when employees leave, and ensures new hires have access on day one.
- Who it's for: SonarQube Cloud Enterprise customers using Entra ID, Okta, or JumpCloud as their identity provider.
- How to get started: Register SonarQube Cloud as a SCIM-enabled app in your IdP, generate a bearer token in SonarQube Cloud's enterprise admin settings, and validate with a pilot group before rolling out broadly.
What is SCIM?
For many enterprises, manually managing who can access code is both a security risk and an operational challenge.
SCIM is an open standard that lets identity providers automatically create, update, and delete users in SaaS applicaations such as SonarQube Cloud.
Instead of manually managing developer access in SonarQube Cloud, your IdP pushes those changes automatically — your corporate directory and SonarQube Cloud stay in sync without anyone having to intervene.
With this GA, SonarQube Cloud Enterprise supports SCIM-based user lifecycle management, so security and platform teams can rely on their IdP as the single source of truth for who can access code and governance data in the cloud.
Why it matters
Eliminate “zombie accounts”
When an employee or contractor leaves, disabling them in the IdP now automatically revokes their access to SonarQube Cloud, terminates active sessions, and removes personal access tokens.
No manual offboarding step, no window where a former employee still has access to source code or reports.
Less work for IT and IAM teams
Creating users, assigning groups, cleaning up stale accounts — SCIM handles all of it at scale. IT and IAM teams maintain one central place to manage access, and the process doesn't depend on manual tickets or human follow-through for every hire or departure.
New hires can contribute on day one
New developers are provisioned and assigned to the right groups before their first login. No waiting for someone to manually grant permissions — they arrive in SonarQube Cloud ready to work.
How it works
SCIM for SonarQube Cloud handles the complete user lifecycle.
Onboarding: When you add a user or group in your IdP, SonarQube Cloud automatically creates the account and mirrors the group structure from your directory. New hires get the right access from the start.
Offboarding: When you remove or disable a user in your IdP, SonarQube Cloud immediately deactivates the account, ends active sessions, and revokes personal access tokens. The IdP is the authority — SonarQube Cloud follows without delay.
How to set it up
Prerequisites
- SonarQube Cloud Enterprise plan
- Microsoft Entra ID, Okta, JumpCloud, or any IdP that supports both SAML and SCIM
1. Configure SCIM in your IdP
Register SonarQube Cloud as a SCIM-enabled enterprise app in your IdP. You'll need the SCIM endpoint URL and bearer token from SonarQube Cloud — both are available in the enterprise administration area. Decide which users and groups should be managed via SCIM (for example, your engineering org or security teams).
2. Enable SCIM in SonarQube Cloud
As an enterprise admin, open the SCIM provisioning settings, generate a bearer token, and copy the SCIM endpoint URL into your IdP configuration. Before enabling broadly, define your rollout scope — a single team or region is a good starting point.
3. Validate with a pilot group
Test with a small group first. Confirm that user creation, group assignment, and deprovisioning all behave as expected. Check that offboarded users no longer appear in SonarQube Cloud and that their tokens are gone.
4. Roll out to all relevant groups
Once validated, expand SCIM coverage to all engineering and security groups. From this point, SCIM is the standard way access SonarQube Cloud is managed — no manual steps required.
Learn more
- SCIM setup documentation for SonarQube Cloud.
- Community post
SonarQube Cloud Enterprise includes SSO, IP allowlists, audit logs, bring-your-own-key encryption (BYOK/CMK), and now SCIM. If you want to talk through whether these capabilities fit your environment, contact us.
