1. Atlan
  2. Administration
  3. SSO

How to enable Okta for SSO

Updated
šŸ¤“ Who can do this? You will need to be an admin user within Atlan to configure SSO. You will also need to work with your Okta administrator to carry out the tasks below in Okta.
šŸšØ Careful! SSO group mappings are triggered every time a user authenticates in Atlan. A user may need to log out and then log into Atlan again to view the changes. If a user is added to a new group or removed from an existing one in Okta, the updates will also be reflected in Atlan. To ensure that the sync is successful, the groups that the user belongs to should be mapped in Atlan, and if a group name has changed in Okta, you will need to update the group name in Atlan as well. For any questions about group mapping sync, head over here.

To integrate Okta SSO for Atlan, complete the following steps.

Choose SSO provider (in Atlan)

To choose Okta as your SSO provider, within Atlan:

  1. From the left menu on any screen, navigate toĀ Admin.
  2. Under theĀ Workspace heading, clickĀ SSO.
  3. UnderĀ Choose SAML provider, selectĀ Okta and then clickĀ Configure.
  4. UnderĀ Service provider metadata, copy theĀ Single sign on URLĀ andĀ Audience URI (SP Entity ID).

Set up SAML app (in Okta)

To set up a SAML app, within Okta's administration console:

  1. From the menu on the left, expandĀ Applications and then click onĀ Applications.
  2. At the top of the table, click theĀ Create App Integration button.
  3. In theĀ Create a new app integration dialog, selectĀ SAML 2.0 and then click Next.
  4. UnderĀ General Settings enter:
    1. ForĀ App name, enter a name for the application, such asĀ Atlan.
    2. Click theĀ Next button.
  5. UnderĀ SAML Settings - General enter:
    1. ForĀ Single sign on URL enter the value you copied from the field of the same name in Atlan above.
    2. EnsureĀ Use this for Recipient URL and Destination URL is enabled.
    3. ForĀ Audience URI (SP Entity ID) enter the value you copied from the field of the same name in Atlan above.
  6. UnderĀ Attribute Statements (optional) define the following mappings from Name (Name format) on the left to Value on the right:
    1. firstName (Basic) ā€”> user.firstName
    2. lastName (Basic) ā€”> user.lastName
    3. email (Basic) ā€”> user.email
    4. group (Basic) ā€”> user.group
    šŸ’Ŗ Did you know? For users assigned to Atlan through SSO, the username will be populated from the username mapping. Otherwise, the username will be the email prefix by default, which users can update while registering on Atlan for the first time.
  7. UnderĀ Group Attribute Statements (optional) define the following mappings fromĀ Name (Name format) on the left to Filter on the right:
    • memberOf (Unspecified) ā€”> Matches regex [\s\S]+ ā€” for examples of how to filter groups with regex in Okta, refer to Okta documentation. This is required if you want to retain group membership in Atlan.
  8. At the bottom of the form, click the Next button.
  9. UnderĀ Help Okta Support understand how you configured this application select I'm an Okta customer adding an internal app and forĀ App type enableĀ This is an internal app that we have created.
  10. Click theĀ Finish button.

Download Okta's metadata file (in Okta)

To download Okta's metadata file, within the Okta app's page:

  1. Open theĀ Sign On tab.
  2. Under theĀ SAML Signing Certificates heading, in the table, click theĀ Actions link under theĀ Actions column.
  3. From the drop-down, clickĀ View IdP metadata.
  4. Save the XML file, if it appears in plain text in your browser.

Assign users to the app (in Okta)

To assign users to the app, within the Okta app's page:

  1. Open theĀ Assignments tab.
  2. At the top of the table, click theĀ Assign button and select Assign to People to add individual users or Assign to Groups to add groups.
  3. To the right of each user to whom you want to assign the application, click Assign. To assign the application to a group, you may have to locate it first.
  4. For individual users, confirm that the data is correct in the Assign Atlan to People dialog. For groups, complete the fields in the Assign Atlan to Groups dialog if it appears.
  5. Click Save and Go Back. Repeat steps 3 to 5 for each user or group to which you want to assign the application.
  6. When finished, in the respective dialog box, click Done.

Upload Okta's metadata file (in Atlan)

To complete the configuration of Okta SSO, within Atlan:

  1. From the left menu on any screen, navigate toĀ Admin.
  2. Under theĀ Workspace heading, clickĀ SSO.
  3. UnderĀ Choose SAML provider, selectĀ Okta and then clickĀ Configure.
  4. To the right ofĀ Identity provider metadata click the Import from XML button.
  5. Select the XML file saved from Okta above.
  6. At the bottom of the screen, clickĀ Save.

Congratulations ā€” you have successfully set up Okta SSO in Atlan! šŸŽ‰

šŸ’Ŗ Did you know? By default, users can now log into Atlan with either Okta SSO or a local Atlan account (via email). To only allow logins via SSO, enable the Enforce SSO option in Atlan. Once SSO is enforced, we recommend asking your Okta administrator to provision access to users through Okta and not directly from Atlan. When access has been provided, a user will be able to log into Atlan directly and their profile will be generated automatically.

(Optional) Configure group mappings

šŸšØ Careful! Before you can configure group mapping, you will first need to create groups in Atlan that correspond to the groups you want to map from Okta to Atlan. In addition, you must configure the memberOf attribute and group mapping to retain group membership in Atlan ā€” irrespective of whether or not you enable SCIM.

To automatically assign Okta users to Atlan groups based on their Okta groups, within Atlan:

  1. From the left menu on any screen, navigate toĀ Admin.
  2. Under theĀ Workspace heading, clickĀ SSO.
  3. Change to the Groups Mapping tab.
  4. To the right of each Atlan group listed:
    1. Under theĀ SSO Groups column, type the name of the corresponding group in Okta to map to the Atlan group on that row ā€” for example, Data Engineering, Business Analysts, and so on. You will need to provide each Okta group with access to Atlan.
    2. Click theĀ Save button on that row.

As each user signs up to Atlan, they will be automatically assigned groups in Atlan based on these mappings! šŸŽ‰

šŸ’Ŗ Did you know? You can configure SCIM provisioning in Okta to manage your users and groups in Atlan. Plus, once you've configured group mapping, you can add the mapped groups to a persona or purpose to auto-assign relevant permissions to users as they sign up in Atlan.

Related articles

Was this article helpful?
1 out of 1 found this helpful