1. Atlan
  2. Administration
  3. SSO

How to enable Azure AD for SSO

Updated
šŸ¤“ Who can do this? You will need to be an admin user within Atlan to configure SSO. You will also need to work with your Azure AD administrator to carry out the tasks below in Azure AD.
šŸšØ Careful! SSO group mappings are triggered every time a user authenticates in Atlan. A user may need to log out and then log into Atlan again to view the changes. If a user is added to a new group or removed from an existing one in Azure AD, the updates will also be reflected in Atlan. To ensure that the sync is successful, the groups that the user belongs to should be mapped in Atlan, and if a group name has changed in Azure AD, you will need to update the group name in Atlan as well. For any questions about group mapping sync, head over here.

To integrate Azure AD SSO for Atlan, complete the following steps.

Choose SSO provider (in Atlan)

To choose Azure AD as your SSO provider, within Atlan:

  1. From the left menu on any screen, navigate toĀ Admin.
  2. Under theĀ Workspace heading, clickĀ SSO.
  3. UnderĀ Choose SAML provider, selectĀ Azure AD and then clickĀ Configure.
  4. UnderĀ Service provider metadata, copy theĀ Identifier (Entity ID), Reply URL (Assert Consumer Service URL), and Logout Url.

Set up SAML app (in Azure AD)

To set up a SAML app, within Azure's portal:

  1. From the menu on the left, open Azure Active Directory.
  2. UnderĀ Azure Active Directory | Overview click theĀ Add button and thenĀ Enterprise application.
  3. UnderĀ Browser Azure AD Gallery click theĀ Create your own application button:
    1. ForĀ What's the name of your app? enter a name, such asĀ Atlan.
    2. ForĀ What are you looking to do with your application? selectĀ Integrate any other application you don't find in the gallery (Non-gallery).
    3. At the bottom of theĀ Create your own application dialog, click the Create button.
  4. Wait for the application details to be shown ā€” this can take around 1 minute.
  5. UnderĀ Getting Started and within the Set up single sign on tile, click the Get started link.
  6. UnderĀ Select a single sign-on method click theĀ SAML tile.
  7. In the upper-right of the Basic SAML Configuration card, click the Edit button and enter:
    1. ForĀ Identifier (Entity ID) click Add identifier and enter the value you copied from Atlan above.
    2. ForĀ Reply URL (Assertion Consumer Service URL) click Add reply URL (twice) and enter the two values you copied from Atlan above. The longer URL should be enabled under the Default column.
    3. ForĀ Logout Url (Optional) enter the value you copied from Atlan above.
  8. At the top of the page, underĀ Basic SAML Configuration, click theĀ Save button.
  9. Close theĀ Basic SAML Configuration dialog by clicking X in the upper-right.
  10. In the upper-right of the Attributes & Claims card, click the Edit button:
    1. Navigate to the Additional claims section, click each of the following claims to modify their Name exactly as suggested below and remove the Namespace value:
      1. email ā€”> user.mail
      2. firstName ā€”> user.givenname
      3. lastName ā€”> user.surname
      4. (Optional) username ā€”> ExtractMailPrefix(user.mail)
        šŸ’Ŗ Did you know? For users assigned to Atlan through SSO, the username will be populated from the username mapping. Otherwise, the username will be the email prefix by default, which users can update while registering on Atlan for the first time.
    2. To configure group claims:Ā 
      1. From the options along the top, click + Add a group claim.
      2. In the popover, under Which groups associated with the user should be returned in the claim?, select Groups assigned to the application.
      3. From the Source attribute dropdown, select Cloud-only group display names (Preview). If you have a hybrid setup, select sAMAccountName instead and then check the Emit group name for cloud-only groups checkbox.
        šŸšØ Careful! Please ensure that the Cloud-only group display names attribute contains the actual group display names. If not, you will need to update the source attribute with the relevant one that contains group display names.
      4. Click Advanced options to expand the dropdown menu:
        1. Check the Customize the name of the group claim box.
        2. For Name, enter memberOf. This is required if you want to retain group membership in Atlan.
      5. Click Save and close the popover by clickingĀ X in the upper-right.

Download Azure AD's metadata file (in Azure AD)

To download Azure AD's metadata file, within the same Azure AD app's SAML-based Sign-on page:

  1. Within theĀ SAML Signing Certificate card, to the right ofĀ Federation Metadata XML, click theĀ Download link.
  2. Within theĀ Set up <application> card, copy theĀ Logout URL.

Assign users or groups to the app (in Azure AD)

To assign users or groups to the app, within the Azure AD application's page:

  1. UnderĀ Manage, click Users and groups.
  2. At the top of the table, click theĀ Add user/group button.
  3. In the resulting Add Assignment dialog, under the Users or GroupsĀ heading, click the None Selected link.
  4. In the resulting Users or GroupsĀ dialog, search for users or groups to add and click to select them.
  5. When finished, at the bottom of theĀ Users or Groups dialog, click the Select button.
  6. At the bottom of theĀ Add Assignment dialog, click theĀ Assign button.

Upload Azure AD's metadata file (in Atlan)

To complete the configuration of Azure AD SSO, within Atlan:

  1. From the left menu on any screen, navigate toĀ Admin.
  2. Under theĀ Workspace heading, clickĀ SSO.
  3. UnderĀ Choose SAML provider, selectĀ Azure AD and then clickĀ Configure.
  4. To the right ofĀ Identity provider metadata click the Import from XML button.
  5. Select the XML file downloaded from Azure AD above.
  6. UnderĀ Single Logout Service URL, enter the logout URL copied from Azure AD above.
  7. At the bottom of the screen, clickĀ Save.

Congratulations ā€” you have successfully set up Azure AD SSO in Atlan! šŸŽ‰

šŸ’Ŗ Did you know? By default, users can now log into Atlan with either Azure AD SSO or a local Atlan account (via email). To only allow logins via SSO, enable the Enforce SSO option in Atlan. Once SSO is enforced, we recommend asking your Azure AD administrator to provision access to users through the Azure portal and not directly from Atlan. When access has been provided, a user will be able to log into Atlan directly and their profile will be generated automatically.

(Optional) Configure group mappings

šŸšØ Careful! Before you can configure group mapping, you will first need to create groups in Atlan that correspond to the groups you want to map from Azure AD to Atlan. In addition, you must configure the memberOf attribute and group mapping to retain group membership in Atlan ā€” irrespective of whether or not you enable SCIM.

To automatically assign Azure AD users to Atlan groups based on their Azure AD groups, within Atlan:

  1. From the left menu on any screen, navigate toĀ Admin.
  2. Under theĀ Workspace heading, clickĀ SSO.
  3. Change to the Groups Mapping tab.
  4. To the right of each Atlan group listed:
    1. Under the SSO Groups column, type the name of the corresponding group in Azure AD to map to the Atlan group on that row ā€” for example, Data Engineering, Business Analysts, and so on. You will need to provide each Azure AD group with access to Atlan.
    2. Click theĀ Save button on that row.

As each user signs up to Atlan, they will be automatically assigned groups in Atlan based on these mappings! šŸŽ‰

šŸ’Ŗ Did you know? You can configure SCIM provisioning in Azure AD to manage your users and groups in Atlan. Plus, once you've configured group mapping, you can add the mapped groups to a persona or purpose to auto-assign relevant permissions to users as they sign up in Atlan.

Related articles

Was this article helpful?
1 out of 1 found this helpful