π€ Who can do this? You will need to be an admin user within Atlan to configure SSO. You will also need to work with your Azure AD administrator to carry out the tasks below in Azure AD.
π¨ Careful! SSO group mappings only trigger when a user first signs up. Please ensure you do all the configuration before onboarding any of the users. Otherwise, you will need to remove all the users and restart the process.
To integrate Azure AD SSO for Atlan, complete the following steps.
Choose SSO provider (in Atlan)
To choose Azure AD as your SSO provider, within Atlan:
- From the left menu on any screen, navigate to Admin.
- Under the Workspace heading, click SSO.
- Under Choose SAML provider, select Azure AD and then click Configure.
- Under Service provider metadata, copy the Identifier (Entity ID), Reply URL (Assert Consumer Service URL), and Logout Url.
Set up SAML app (in Azure AD)
To set up a SAML app, within Azure's portal:
- From the menu on the left, open Azure Active Directory.
- Under Azure Active Directory | Overview click the Add button and then Enterprise application.
- Under Browser Azure AD Gallery click the Create your own application button:
- For What's the name of your app? enter a name, such as Atlan.
- For What are you looking to do with your application? select Integrate any other application you don't find in the gallery (Non-gallery).
- At the bottom of the Create your own application dialog, click the Create button.
- Wait for the application details to be shown β this can take around 1 minute.
- Under Getting Started and within the Set up single sign on tile, click the Get started link.
- Under Select a single sign-on method click the SAML tile.
- In the upper-right of the Basic SAML Configuration card, click the Edit button and enter:
- For Identifier (Entity ID) click Add identifier and enter the value you copied from Atlan above.
- For Reply URL (Assertion Consumer Service URL) click Add reply URL (twice) and enter the two values you copied from Atlan above. The longer URL should be enabled under the Default column.
- For Logout Url (Optional) enter the value you copied from Atlan above.
- At the top of the page, under Basic SAML Configuration, click the Save button.
- Close the Basic SAML Configuration dialog by clicking X in the upper-right.
- In the upper-right of the Attributes & Claims card, click the Edit button:
- Next, click + Add a group claim.
- In the popover, under Which groups associated with the user should be returned in the claim?, select Groups assigned to the application.
- From the Source attribute dropdown, select Cloud-only group display names (Preview).
- Click Advanced options to expand the dropdown menu:
- Check the Customize the name of the group claim box.
- For Name, enter
memberOf
.
- Click Save and close the popover by clicking X in the upper-right.
Download Azure AD's metadata file (in Azure AD)
To download Azure AD's metadata file, within the same Azure AD app's SAML-based Sign-on page:
- Within the SAML Signing Certificate card, to the right of Federation Metadata XML, click the Download link.
- Within the Set up <application> card, copy the Logout URL.
Assign users or groups to the app (in Azure AD)
To assign users or groups to the app, within the Azure AD application's page:
- Under Manage, click Users and groups.
- At the top of the table, click the Add user/group button.
- In the resulting Add Assignment dialog, under the Users or Groups heading, click the None Selected link.
- In the resulting Users or Groups dialog, search for users or groups to add and click to select them.
- When finished, at the bottom of the Users or Groups dialog, click the Select button.
- At the bottom of the Add Assignment dialog, click the Assign button.
Upload Azure AD's metadata file (in Atlan)
To complete the configuration of Azure AD SSO, within Atlan:
- From the left menu on any screen, navigate to Admin.
- Under the Workspace heading, click SSO.
- Under Choose SAML provider, select Azure AD and then click Configure.
- To the right of Identity provider metadata click the Import from XML button.
- Select the XML file downloaded from Azure AD above.
- Under Single Logout Service URL, enter the logout URL copied from Azure AD above.
- At the bottom of the screen, click Save.
Congratulations β you have successfully set up Azure AD SSO in Atlan! π
πͺ Did you know? By default, users can now log into Atlan with either Azure AD SSO or a local Atlan account (via email). To only allow logins via SSO, enable the Enforce SSO option in Atlan. Once SSO is enforced, we recommend inviting users only through the SSO provider and not directly from Atlan.
(Optional) Configure group mappings
To automatically assign Azure AD users to Atlan groups based on their Azure AD groups, within Atlan:
- From the left menu on any screen, navigate to Admin.
- Under the Workspace heading, click SSO.
- Change to the Groups Mapping tab.
- To the right of each Atlan group listed:
- Under the SSO Groups column enter the name of the group in Azure AD to map to the Atlan group on that row.
- Click the Save button on that row.
As each user signs up to Atlan, they will be automatically assigned groups in Atlan based on these mappings! π