SCIM migration of users is erroring out

SCIM migration of users using below API is erroring out “Operation not allowed when the instance is externally managed”. Please help.
API:curl -X POST -u {{token}}: “{{baseurl}}/api/users/update_identity_provider?login={{username}}&newExternalIdentity={{externalidentity}}&newExternalProvider=saml”

Hello @krishnadas.n ,

Since you are using SCIM protocol with SAML, this means that any SonarQube users and groups linked to your IdP are managed by your IdP, not SonarQube.

Your 400 error “Operation not allowed when the instance is externally managed” seems to be expected. If you are encountering that error when using the POST api/users/update_identity_provider (as described in our SonarQube Community guide Migrating SonarQube Users Between Identity Providers (with a focus on LDAP → SAML) ), then you should make sure of the following:

  • When you enable SCIM in your IDP, the IDP will start its provisioning mechanism. As part of this, it will try to create all the users that are assigned to the application.
    • On receiving a request to create a user, SonarQube checks existing SAML users - if there is a user with a matching external identity, the local user is converted to a managed one. If there is no match, a new managed user is created.
  • If you are using the sonar-auth-aad plugin, before enabling SCIM, you need to migrate existing users associated with the sonar-auth-aad plugin authentication method to SAML. Once all the users are converted (and it’s been extensively tested that they can log in) you can proceed with enabling SCIM.
1 Like