How to enable OneLogin for SSO

🤓 Who can do this? You will need to be an admin user within Atlan to configure SSO. You will also need to work with your OneLogin administrator to carry out the tasks below in OneLogin.
🚨 Careful! SSO group mappings are triggered every time a user authenticates in Atlan. A user may need to log out and then log into Atlan again to view the changes. If a user is added to a new group or removed from an existing one in OneLogin, the updates will also be reflected in Atlan. To ensure that the sync is successful, the groups that the user belongs to should be mapped in Atlan, and if a group name has changed in OneLogin, you will need to update the group name in Atlan as well. For any questions about group mapping sync, head over here.

To integrate OneLogin SSO for Atlan, complete the following steps.

Choose SSO provider (in Atlan)

To choose OneLogin as your SSO provider, within Atlan:

  1. From the left menu on any screen, navigate to Admin.
  2. Under the Workspace heading, click SSO.
  3. Under Choose SAML provider, select OneLogin and then click Configure.
  4. Under Service provider metadata, copy the Audience (EntityID), Recipient, ACS (Consumer) URL Validator, and ACS (Consumer) URL.

Set up SAML application (in OneLogin)

To set up a SAML application, within OneLogin admin console:

  1. From the menu along the top, navigate to Applications and then click on Applications.
  2. In the upper right, click the Add App button.
  3. In the search box, enter saml custom and then click SAML Custom Connector (Advanced).
  4. Under Display Name enter a name for your app, such as Atlan and then click the Save button.
  5. Change to the Configuration tab and under Application details enter your Atlan SAML settings:
    1. For Audience (EntityID) enter the value you copied from Atlan above.
    2. For Recipient enter the value you copied from Atlan above.
    3. For ACS (Consumer) URL Validator enter the value you copied from Atlan above.
    4. For ACS (Consumer) URL enter the value you copied from Atlan above.
    5. For Login URL enter the same value used for the fields above.
  6. Change to the SSO tab and change the following:
    1. For SAML Signature Algorithm set SHA-512.
    2. Under Login Hint ensure Enable login hint is checked.
  7. Change to the Parameters tab and use the circular + icon to add mappings for the following:
    1. email —> Email
    2. firstName —> First Name
    3. lastName —> Last Name
  8. In the upper right, click the Save button.

Download OneLogin's metadata file (in OneLogin)

To download the metadata file for the application, within OneLogin:

  • From the application page, in the upper right navigate to More Actions and click SAML Metadata.

(Optional) Map groups to the app (in OneLogin)

To map OneLogin groups to the app, within the OneLogin application:

  1. In the top left, click the Users tab, and from the dropdown, select Mappings.
  2. Under Mappings, click New Mapping to create a new group mapping for Atlan.
  3. In the New Mapping dialog, enter the following details:
    1. For Name, enter a meaningful name for your group mapping — for example, SSOGroupA.
    2. Under Conditions, click the + button and enter the following details:
      1. From the attributes dropdown, select Group to map all your OneLogin groups to Atlan. 
      2. From the operators dropdown, select is.
      3. From the values dropdown, select the group name.
    3. Under Actions, enter the following details:
      1. From the Set role dropdown, select Set memberOf. This is required if you want to retain group membership in Atlan.
      2. From the Set memberOf to dropdown, enter the group name.
    4. Click Save to confirm your selections.
  4. Under Mappings, click New Mapping to remove any group mappings if none are selected.
  5. In the New Mapping dialog, enter the following details:
    1. For Name, enter a meaningful name for your group mapping — for example, clearMemberOf.
    2. Under Conditions, click the + button and enter the following details:
      1. From the attributes dropdown, select Group. 
      2. From the operators dropdown, select is.
      3. From the values dropdown, keep the default selection None.
    3. Under Actions, enter the following details:
      1. From the Set role dropdown, select Set memberOf.
      2. From the Set memberOf to dropdown, leave as blank.
    4. Click Save to confirm your selections.
  6. Under Mappings, click the Reapply All Mappings tab, and in the corresponding screen, click Continue to confirm.
  7. In the top left, click the Applications tab, and from the dropdown, click Applications.
  8. Under Applications, select your SAML application.
  9. From the left menu of SAML Custom Connector (Advanced), click Parameters.
  10. In the upper right of the parameters page, click the + button to add a new parameter.
  11. In the New Field dialog, enter the following details:
    1. For Field name, enter memberOf.
    2. For Flags, check the Include in SAML assertion box.
    3. Click Save to proceed to the next step.
    4. In the corresponding Edit Field memberOf dialog, from the Value dropdown, select MemberOf.
    5. Click Save to confirm your selections.

If any of your OneLogin users do not belong to any groups, you can either add them to an existing group or create a new one. Once you have configured group mapping in Atlan, they will be able to log in to Atlan and assigned the same permissions as their OneLogin group.

Upload OneLogin's metadata file (in Atlan)

To complete the configuration of OneLogin SSO, within Atlan:

  1. From the left menu on any screen, navigate to Admin.
  2. Under the Workspace heading, click SSO.
  3. Under Choose SAML provider, select OneLogin and then click Configure.
  4. To the right of Identity provider metadata click the Import from XML button.
  5. Select the onelogin_metadata_1234567.xml file downloaded from OneLogin above.
  6. At the bottom of the screen, click Save.

Congratulations — you have successfully set up OneLogin SSO in Atlan! 🎉

💪 Did you know? By default, users can now log into Atlan with either OneLogin SSO or a local Atlan account (via email). To only allow logins via SSO, enable the Enforce SSO option in Atlan. Once SSO is enforced, we recommend asking your OneLogin administrator to provision access to users through OneLogin and not directly from Atlan. When access has been provided, a user will be able to log into Atlan directly and their profile will be generated automatically.

(Optional) Configure group mappings

🚨 Careful! Before you can configure group mapping, you will first need to create groups in Atlan that correspond to the groups you want to map from OneLogin to Atlan. In addition, you must configure the memberOf attribute and group mapping to retain group membership in Atlan.

To automatically assign OneLogin users to Atlan groups based on their OneLogin groups, within Atlan:

  1. From the left menu on any screen, navigate to Admin.
  2. Under the Workspace heading, click SSO.
  3. Change to the Groups Mapping tab.
  4. To the right of each Atlan group listed:
    1. Under the SSO Groups column, type the name of the corresponding group in OneLogin to map to the Atlan group on that row — for example, Data Engineering, Business Analysts, and so on. You will need to provide each OneLogin group with access to Atlan.
    2. Click the Save button on that row.

As each user signs up to Atlan, they will be automatically assigned groups in Atlan based on these mappings! 🎉

💪 Did you know? Once you've configured group mapping, you can add the mapped groups to a persona or purpose to auto-assign relevant permissions to users as they sign up in Atlan.

Related articles

Was this article helpful?
1 out of 1 found this helpful