Hi
We are using Sonarqube Server version v10.8 (100206)ACTIVE deployed with docker. It is an enterprise Server.
We are trying to provision SCIM with a Access token and it is throwing below (attached picture) error on OKTA.
The token is of Global type created by Admin.
We have enabled the SCIM provisioning in the sonarqube Administration - > Configuration - > Authentication - > Automatic user and group provisioning with SCIM
Please advise.
Thanks,
Sam
I suggest you confirm if the Okta request ever reaches SonarQube by checking your access.log file.
If not – you’ll have to sort out what could be between Okta and your SonarQube server. A firewall? Proxy? Do you need to be using SCIM Connector an Okta Provisioning Agent to connect to on-prem applications?
If the request is reaching SonarQube, please note what status code is being returned in access.log and report back!
We are using http instead of https.(Not yet enabled TLS) Will try after enabling TLS
Did not see the SCIM related requests in the access.log
If the SCIM provisioning is enabled on Sonarqube Server 10.8, then do we need a SCIM Connector? This link does not specify the connector SCIM provisioning with Okta
Simply put, Okta is going to have to communicate with your SonarQube server. Whether that’s because your SQ instance is available over the public internet or via a SCIM connector with an Okta Provisioning Agent is really not our concern. Still, it might be useful to document and I’ll pass along that feedback.
When I go to the documentation page of that is specified in the server, I see that SCIM is supported in the enterprise version along with the instructions.
That being said, do I need a SCIM connector between OKTA and sonarqube on-prem server? Is it a Yes or a No?
First of all – I need to apologize. I was talking about SCIM Connectors when I should have been referring to Okta Provisioning Agents. I’ve updated my previous post. SCIM connector seemed like an awful good name for what Okta Provisioning Agents actually do!
Is your SonarQube Server accessible over the public internet? No, you shouldn’t need to use an Okta provisioning agent. Since your request isn’t making it from Okta to SonarQube, that seems unlikely.
Is your SonarQube Server inaccessible over the public internet? Yes, you would need an OKTA provisioning agent. The docs here and here seem important.
I’m not an Okta expert or user – I’m just matching your issue (requests from Okta aren’t making it to your on-prem SonarQube server) with what information Okta makes available to support those setups.
Hi Collin,
After installing Okta Provisioning Agents, we realized that the SCIM config needs the public IP address of the Okta Provisioning Agent. If there is no public IP present for your on-prem unit, then one needs to get it. Please mention this on the docs.
I’ll pass the feedback on! I admit that it tripped me up at first, since using SAML doesn’t require the IDP to have access to on-prem resources. For SCIM however, the IDP must have access to on-prem resources.