How to enable Google for SSO

🤓 Who can do this? You will need to be an admin user within Atlan to configure SSO. You will also need to work with your Google domain administrator to carry out the tasks below in the Google Admin Center.
🚨 Careful! SSO group mappings are triggered every time a user authenticates in Atlan. A user may need to log out and then log into Atlan again to view the changes. If a user is added to a new group or removed from an existing one in Google, the updates will also be reflected in Atlan. To ensure that the sync is successful, the groups that the user belongs to should be mapped in Atlan, and if a group name has changed in Google, you will need to update the group name in Atlan as well. For any questions about group mapping sync, head over here.

To integrate Google SSO for Atlan, complete the following steps.

Choose SSO provider (in Atlan)

To choose Google as your SSO provider, within Atlan:

  1. From the left menu on any screen, navigate to Admin.
  2. Under the Workspace heading, click SSO.
  3. Under Choose SAML provider, select Google and then click Configure.
  4. Under Service provider metadata, copy the ACS URL and Entity ID.

Set up SAML app (in Google Admin Center)

To set up a SAML app, within Google Admin Center:

  1. From the menu on the left, expand Apps and then click on Web and mobile apps.
  2. At the top of the table, click the Add app link and then click Add custom SAML app.
  3. Enter a name for your app, such as Atlan and then click the Continue button.
  4. Under Option 1: Download IdP metadata click the Download metadata button, save the file, and then click the Continue button.
  5. Under Service provider details, enter your Atlan SAML settings:
    1. For ACS URL, enter the value you copied from Atlan above.
    2. For Entity ID, enter the value you copied from Atlan above.
  6. Click the Continue button.
  7. Under Attributes, define the following mappings from Google Directory attributes on the left to App attributes on the right:
    1. Primary email —> email
    2. First name —> firstName
    3. Last name —> lastName
  8. (Optional) To configure group mapping in Atlan, under Group membership (optional), enter the following details:
    1. For Google Groups, select all the Google groups you want to map to Atlan. You can select up to 75 groups in total.
    2. For App attribute, enter memberOf. This is required if you want to retain group membership in Atlan.
  9. At the end of the form, click the Finish button.

Assign users to the app (in Google Admin Center)

To assign users to the app, within Google Admin Center:

  1. From the app page, expand User access.
  2. Under Service status change to ON for everyone and then click Save.

Upload Google's metadata file (in Atlan)

To complete the configuration of Google SSO, within Atlan:

  1. From the left menu on any screen, navigate to Admin.
  2. Under the Workspace heading, click SSO.
  3. Under Choose SAML provider, select Google and then click Configure.
  4. To the right of Identity provider metadata click the Import from XML button.
  5. Select the GoogleIDPMetadata.xml file downloaded from Google above.
  6. At the bottom of the screen, click Save.

Congratulations — you have successfully set up Google SSO in Atlan! 🎉

💪 Did you know? By default, users can now log into Atlan with either Google SSO or a local Atlan account (via email). To only allow logins via SSO, enable the Enforce SSO option in Atlan. Once SSO is enforced, we recommend asking your Google domain administrator to provision access to users through the Google Admin Center and not directly from Atlan. When access has been provided, a user will be able to log into Atlan directly and their profile will be generated automatically.

(Optional) Configure group mappings

🚨 Careful! Before you can configure group mapping, you will first need to create groups in Atlan that correspond to the groups you want to map from Google to Atlan. In addition, you must configure the memberOf attribute and group mapping to retain group membership in Atlan.

To automatically assign Google users to Atlan groups based on their Google groups, within Atlan:

  1. From the left menu on any screen, navigate to Admin.
  2. Under the Workspace heading, click SSO.
  3. Change to the Groups Mapping tab.
  4. To the right of each Atlan group listed:
    1. Under the SSO Groups column, type the name of the corresponding group in Google to map to the Atlan group on that row — for example, Data Engineering, Business Analysts, and so on. You will need to provide each Google group with access to Atlan.
    2. Click the Save button on that row.

As each user signs up to Atlan, they will be automatically assigned groups in Atlan based on these mappings! 🎉

💪 Did you know? Once you've configured group mapping, you can add the mapped groups to a persona or purpose to auto-assign relevant permissions to users as they sign up in Atlan.

Related articles

Was this article helpful?
2 out of 2 found this helpful