How to enable SAML 2.0 for SSO

🤓 Who can do this? You will need to be an admin user within Atlan to configure SSO. You will also need to work with your SAML 2.0 administrator to carry out the tasks below in your custom IdP.
🚨 Careful! SSO group mappings are triggered every time a user authenticates in Atlan. A user may need to log out and then log into Atlan again to view the changes. If a user is added to a new group or removed from an existing one in SAML 2.0, the updates will also be reflected in Atlan. To ensure that the sync is successful, the groups that the user belongs to should be mapped in Atlan, and if a group name has changed in SAML 2.0, you will need to update the group name in Atlan as well. For any questions about group mapping sync, head over here.

To integrate SAML 2.0 SSO for Atlan, complete the following steps.

Choose SSO provider (in Atlan)

To choose SAML 2.0 as your SSO provider, within Atlan:

  1. From the left menu on any screen, navigate to Admin.
  2. Under the Workspace heading, click SSO.
  3. Under Choose SAML provider, select SAML 2.0 and then click Configure.
  4. For Alias, type in an alias for the SAML 2.0 connection and then click Next.
  5. Under Service provider metadata, copy the Atlan SAML Assertion URL and Atlan Audience URI (SP Entity ID).

Set up SAML app (in custom IdP)

To set up a SAML app within your custom IdP:

  1. Create a new SAML application in your IdP with the name Atlan.
  2. For Entity/Issuer ID, enter the Atlan Audience URI (SP Entity ID) value you copied from above.
  3. For Assertion Consumer Service (ACS) URL, enter the Atlan SAML Assertion URL value you copied from above.
  4. Add the required users and groups to the application.
  5. Configure the IdP to return the following attributes in the SAML response:
    1. firstName
    2. lastName
    3. email
    4. memberOf (listing the user's group memberships, which will be required for group mapping in Atlan)
  6. Save the SAML metadata XML file for the SSO URL and X.509 public certificate file of the IdP.
    🚨 Careful! The SSO URL must be accessible from Atlan via an internet connection.

Configure IdP details (in Atlan)

To complete the configuration of SAML 2.0 SSO, within Atlan:

  1. From the left menu on any screen, navigate to Admin.
  2. Under the Workspace heading, click SSO.
  3. Under Choose SAML provider, select SAML 2.0 and then click Configure.
  4. For Alias, type in an alias for the SAML 2.0 connection and then click Next.
  5. To the right of Identity provider metadata, click the Import from XML button.
  6. Select the XML file saved from the IdP above.
  7. For Attribute Mapper, modify the IdP attribute names for email, first name, and last name if these will be different in the IdP SAML response.
  8. (Optional) For Customize, under Sign in button text, type any custom message you'd like your users to see on the Atlan login screen. 
  9. At the bottom of the screen, click Save.

Congratulations — you have successfully set up SSO for your custom IdP in Atlan! 🎉

💪 Did you know? By default, users can now log into Atlan with either SAML 2.0 SSO or a local Atlan account (via email). To only allow logins via SSO, enable the Enforce SSO option in Atlan. Once SSO is enforced, we recommend asking your SAML 2.0 administrator to provision access to users through your custom IdP and not directly from Atlan. When access has been provided, a user will be able to log into Atlan directly and their profile will be generated automatically.

(Optional) Configure group mappings

🚨 Careful! Before you can configure group mapping, you will first need to create groups in Atlan that correspond to the groups you want to map from your custom IdP to Atlan. In addition, you must configure the memberOf attribute and group mapping to retain group membership in Atlan.

To automatically assign SSO users to Atlan groups based on their custom IdP groups, within Atlan:

  1. From the left menu on any screen, navigate to Admin.
  2. Under the Workspace heading, click SSO.
  3. Change to the Groups Mapping tab.
  4. To the right of each Atlan group listed:
    1. Under the SSO Groups column, type the name of the corresponding group in your custom IdP to map to the Atlan group on that row — for example, Data Engineering, Business Analysts, and so on. You will need to provide each custom IdP group with access to Atlan.
    2. Click the Save button on that row.

As each user signs up to Atlan, they will be automatically assigned groups in Atlan based on these mappings! 🎉

💪 Did you know? Once you've configured group mapping, you can add the mapped groups to a persona or purpose to auto-assign relevant permissions to users as they sign up in Atlan.

Related articles

Was this article helpful?
0 out of 0 found this helpful