Ability to manage users via SCIM

Must-share information (formatted with Markdown):

  • which versions are you using: * Enterprise Edition
  • Version 10.0
  • how is SonarQube deployed: Docker, K8s
  • what are you trying to achieve: Set up SCIM Provisioning
  • what have you tried so far to achieve this
    we tried this url /api/scim/v2/users with Postman and there were no users returned.

Can we manage users via SCIM besides creating them?

Hey there.

What IdP are you using? You can find the existing capabilities of SCIM (and associated documentation) here: SCIM overview.

We read the documentation and it talks about user creation, user deletion etc,… but it does not say anything about “read”.

Hey there.

Firstly,

Secondly,

You can retrieve the list of users using APIs in the api/users domain (Web API linked in the footer of your SonarQube instance). Are you expecting your IdP to be able to perform some specific operation with th isinformation, or are you trying to build a seperate integration?

We are using SailPoint

Here is the endpoint we are using. it doesn’t return anything right now. We currently have users in our sonarqube instance.

// https://***/api/scim/v2/Users

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
  ],
  "itemsPerPage": 100,
  "totalResults": 0,
  "startIndex": 1,
  "Resources": [
    
  ]
}

Does it only return users created by SCIM?

SCIM is only officially supported for Okta and Azure AD at this time.

Yes, only users provisioned by SCIM would be returned here. You would need to use another API, like GET api/users/search to return all users, including those not managed by SCIM.

Thank you Colin!

Hi @Colin, I have one more question. Do you have a guide on migrating from Just-in-Time provisioning to SCIM? How do we migrate to SCIM with existing users?

Thanks

Great question!

The easy answer is that it’s fully transparent and automatic. We match existing users and groups when SCIM is enabled.

Still, this is a big change to how users authenticate, so it might behoove you to backup your database before making the switch, or enabling it on a staging instance first.