How to enable Azure AD for SSO

πŸ€“ Who can do this? You will need to be an admin user within Atlan to configure SSO. You will also need to work with your Azure AD administrator to carry out the tasks below in Azure AD.
🚨 Careful! SSO group mappings are triggered every time a user authenticates in Atlan. A user may need to log out and then log into Atlan again to view the changes. If a user is added to a new group or removed from an existing one in Azure AD, the updates will also be reflected in Atlan. To ensure that the sync is successful, the groups that the user belongs to should be mapped in Atlan, and if a group name has changed in Azure AD, you will need to update the group name in Atlan as well. For any questions about group mapping sync, head over here.

To integrate Azure AD SSO for Atlan, complete the following steps.

Choose SSO provider (in Atlan)

To choose Azure AD as your SSO provider, within Atlan:

  1. From the left menu on any screen, navigate to Admin.
  2. Under the Workspace heading, click SSO.
  3. Under Choose SAML provider, select Azure AD and then click Configure.
  4. Under Service provider metadata, copy the Identifier (Entity ID), Reply URL (Assert Consumer Service URL), and Logout Url.

Set up SAML app (in Azure AD)

To set up a SAML app, within Azure's portal:

  1. From the menu on the left, open Azure Active Directory.
  2. Under Azure Active Directory | Overview click the Add button and then Enterprise application.
  3. Under Browser Azure AD Gallery click the Create your own application button:
    1. For What's the name of your app? enter a name, such as Atlan.
    2. For What are you looking to do with your application? select Integrate any other application you don't find in the gallery (Non-gallery).
    3. At the bottom of the Create your own application dialog, click the Create button.
  4. Wait for the application details to be shown β€” this can take around 1 minute.
  5. Under Getting Started and within the Set up single sign on tile, click the Get started link.
  6. Under Select a single sign-on method click the SAML tile.
  7. In the upper-right of the Basic SAML Configuration card, click the Edit button and enter:
    1. For Identifier (Entity ID) click Add identifier and enter the value you copied from Atlan above.
    2. For Reply URL (Assertion Consumer Service URL) click Add reply URL (twice) and enter the two values you copied from Atlan above. The longer URL should be enabled under the Default column.
    3. For Logout Url (Optional) enter the value you copied from Atlan above.
  8. At the top of the page, under Basic SAML Configuration, click the Save button.
  9. Close the Basic SAML Configuration dialog by clicking X in the upper-right.
  10. In the upper-right of the Attributes & Claims card, click the Edit button:
    1. Navigate to the Additional claims section, click each of the following claims to modify their Name exactly as suggested below and remove the Namespace value:
      1. email β€”> user.mail
      2. firstName β€”> user.givenname
      3. lastName β€”> user.surname
      4. (Optional) username β€”> ExtractMailPrefix(user.mail)
        πŸ’ͺ Did you know? For users assigned to Atlan through SSO, the username will be populated from the username mapping. Otherwise, the username will be the email prefix by default, which users can update while registering on Atlan for the first time.
    2. To configure group claims: 
      1. From the options along the top, click + Add a group claim.
      2. In the popover, under Which groups associated with the user should be returned in the claim?, select Groups assigned to the application.
      3. From the Source attribute dropdown, select Cloud-only group display names (Preview). If you have a hybrid setup, select sAMAccountName instead and then check the Emit group name for cloud-only groups checkbox.
        🚨 Careful! Please ensure that the Cloud-only group display names attribute contains the actual group display names. If not, you will need to update the source attribute with the relevant one that contains group display names.
      4. Click Advanced options to expand the dropdown menu:
        1. Check the Customize the name of the group claim box.
        2. For Name, enter memberOf.
      5. Click Save and close the popover by clicking X in the upper-right.

Download Azure AD's metadata file (in Azure AD)

To download Azure AD's metadata file, within the same Azure AD app's SAML-based Sign-on page:

  1. Within the SAML Signing Certificate card, to the right of Federation Metadata XML, click the Download link.
  2. Within the Set up <application> card, copy the Logout URL.

Assign users or groups to the app (in Azure AD)

To assign users or groups to the app, within the Azure AD application's page:

  1. Under Manage, click Users and groups.
  2. At the top of the table, click the Add user/group button.
  3. In the resulting Add Assignment dialog, under the Users or Groups heading, click the None Selected link.
  4. In the resulting Users or Groups dialog, search for users or groups to add and click to select them.
  5. When finished, at the bottom of the Users or Groups dialog, click the Select button.
  6. At the bottom of the Add Assignment dialog, click the Assign button.

Upload Azure AD's metadata file (in Atlan)

To complete the configuration of Azure AD SSO, within Atlan:

  1. From the left menu on any screen, navigate to Admin.
  2. Under the Workspace heading, click SSO.
  3. Under Choose SAML provider, select Azure AD and then click Configure.
  4. To the right of Identity provider metadata click the Import from XML button.
  5. Select the XML file downloaded from Azure AD above.
  6. Under Single Logout Service URL, enter the logout URL copied from Azure AD above.
  7. At the bottom of the screen, click Save.

Congratulations β€” you have successfully set up Azure AD SSO in Atlan! πŸŽ‰

πŸ’ͺ Did you know? By default, users can now log into Atlan with either Azure AD SSO or a local Atlan account (via email). To only allow logins via SSO, enable the Enforce SSO option in Atlan. Once SSO is enforced, we recommend asking your Azure AD administrator to provision access to users through the Azure portal and not directly from Atlan. When access has been provided, a user will be able to log into Atlan directly and their profile will be generated automatically.

(Optional) Configure group mappings

🚨 Careful! Before you can configure group mapping, you will first need to create groups in Atlan that correspond to the groups you want to map from Azure AD to Atlan.

To automatically assign Azure AD users to Atlan groups based on their Azure AD groups, within Atlan:

  1. From the left menu on any screen, navigate to Admin.
  2. Under the Workspace heading, click SSO.
  3. Change to the Groups Mapping tab.
  4. To the right of each Atlan group listed:
    1. Under the SSO Groups column, type the name of the corresponding group in Azure AD to map to the Atlan group on that row β€” for example, Data Engineering, Business Analysts, and so on. You will need to provide each Azure AD group with access to Atlan.
    2. Click the Save button on that row.

As each user signs up to Atlan, they will be automatically assigned groups in Atlan based on these mappings! πŸŽ‰

πŸ’ͺ Did you know? You can configure SCIM provisioning in Azure AD to manage your users and groups in Atlan. Plus, once you've configured group mapping, you can add the mapped groups to a persona or purpose to auto-assign relevant permissions to users as they sign up in Atlan.

Related articles

Was this article helpful?
1 out of 1 found this helpful