How to enable SAML 2.0 for SSO

Have more questions? Submit a request
πŸ€“ Who can do this? You will need to be an admin user within Atlan to configure SSO. You will also need to work with your SAML 2.0 administrator to carry out the tasks below in your custom IdP.
🚨 Careful! SSO group mappings only trigger when a user first signs up. Please ensure you do all the configuration before onboarding any of the users. Otherwise, you will need to remove all the users and restart the process.

To integrate SAML 2.0 SSO for Atlan, complete the following steps.

Choose SSO provider (in Atlan)

To choose SAML 2.0 as your SSO provider, within Atlan:

  1. From the left menu on any screen, navigate to Admin.
  2. Under the Workspace heading, click SSO.
  3. Under Choose SAML provider, select SAML 2.0 and then click Configure.
  4. For Alias, type in an alias for the SAML 2.0 connection and then click Next.
  5. Under Service provider metadata, copy the Atlan SAML Assertion URL and Atlan Audience URI (SP Entity ID).

Set up SAML app (in custom IdP)

To set up a SAML app within your custom IdP:

  1. Create a new SAML application in your IdP with the name Atlan.
  2. For Entity/Issuer ID, enter the Atlan Audience URI (SP Entity ID) value you copied from above.
  3. For Assertion Consumer Service (ACS) URL, enter the Atlan SAML Assertion URL value you copied from above.
  4. Add the required users and groups to the application.
  5. Configure the IdP to return the following attributes in the SAML response:
    1. firstName
    2. lastName
    3. email
    4. memberOf (listing the user's group memberships, which will be required for group mapping in Atlan)
  6. Save the SAML metadata XML file for the SSO URL and X.509 public certificate file of the IdP.
    🚨 Careful! The SSO URL must be accessible from Atlan via an internet connection.

Configure IdP details (in Atlan)

To complete the configuration of SAML 2.0 SSO, within Atlan:

  1. From the left menu on any screen, navigate to Admin.
  2. Under the Workspace heading, click SSO.
  3. Under Choose SAML provider, select SAML 2.0 and then click Configure.
  4. For Alias, type in an alias for the SAML 2.0 connection and then click Next.
  5. To the right of Identity provider metadata, click the Import from XML button.
  6. Select the XML file saved from the IdP above.
  7. For Attribute Mapper, modify the IdP attribute names for email, first name, and last name if these will be different in the IdP SAML response.
  8. (Optional) For Customize, under Sign in button text, type any custom message you'd like your users to see on the Atlan login screen. 
  9. At the bottom of the screen, click Save.

Congratulations β€” you have successfully set up SSO for your custom IdP in Atlan! πŸŽ‰

πŸ’ͺ Did you know? By default, users can now log into Atlan with either SAML 2.0 SSO or a local Atlan account (via email). To only allow logins via SSO, enable the Enforce SSO option in Atlan. Once SSO is enforced, we recommend inviting users only through the SSO provider and not directly from Atlan.

(Optional) Configure group mappings

To automatically assign SSO users to Atlan groups based on their custom IdP groups, within Atlan:

  1. From the left menu on any screen, navigate to Admin.
  2. Under the Workspace heading, click SSO.
  3. Change to the Groups Mapping tab.
  4. To the right of each Atlan group listed:
    1. Under the SSO Groups column, enter the name of the group in your custom IdP to map to the Atlan group on that row.
    2. Click the Save button on that row.

As each user signs up to Atlan, they will be automatically assigned groups in Atlan based on these mappings! πŸŽ‰

Related articles

Was this article helpful?
0 out of 0 found this helpful