You can automate the process of provisioning and deprovisioning your Azure Active Directory (AD) users and groups in Atlan with System for Cross-domain Identity Management (SCIM).
To enable Azure AD for SCIM provisioning, complete the following steps.
Prerequisites
Retrieve SCIM token in Atlan
You will need to generate a SCIM token in Atlan for authentication in Azure AD.
To retrieve the SCIM token, within Atlan:
- From the left menu on any screen, click Admin.
- Under the Workspace heading, click SSO.
- On the Single Sign on page for Azure AD, under Overview, navigate to Automate Provisioning with SCIM and toggle it on.
- Under SCIM token, click the + Generate token button to create a SCIM token.
- In the SCIM token generated dialog, click the Copy button to copy the SCIM token and store it in a secure location.
Enable SCIM provisioning in Azure AD
You can enable SCIM provisioning in Azure AD to automatically sync your users and groups to Atlan.
Configure SCIM provisioning in Azure AD
To configure SCIM provisioning, within Azure AD:
- Log in to your Azure portal and search for and select Azure Active Directory.
- From the left menu under Manage, select Enterprise applications.
- From the All applications page, select the SAML application you created to configure SSO in Atlan.
- In the left menu of your application page, under Manage, click Provisioning.
- From the Provisioning mode dropdown, click Automatic.
- Under Admin credentials, enter the following details:
- For Tenant URL, enter your Atlan tenant URL in the following format β
https://<your-tenant-dns>/api/service/scim
. - For Secret Token, enter the SCIM token you copied in Atlan.
- Click the Test connection button to confirm connectivity to Atlan.
- For Tenant URL, enter your Atlan tenant URL in the following format β
- When successful, in the top right, click Save to save the configuration.
- In the Mappings section, verify that Provision Azure Active Directory Groups and Provision Azure Active Directory Users are enabled. Under Mappings:
- Click Provision Azure Active Directory Groups, and under Attribute Mappings, define the following mappings from Azure AD on the left to Atlan on the right:
displayName
β>displayName
objectId
β>externalId
members
β>members
- Click Provision Azure Active Directory Users, and under Attribute Mappings, define the following mappings from Azure AD on the left to Atlan on the right:
mailNickname
β>userName
Switch([IsSoftDeleted], , "False", "True", "True", "False")
β>active
displayName
β>displayName
mail
β>emails[type eq "work"].value
givenName
β>name.givenName
surname
β>name.familyName
objectId
β>externalId
- To save any changes, click Save.
- Click Provision Azure Active Directory Groups, and under Attribute Mappings, define the following mappings from Azure AD on the left to Atlan on the right:
Provision users and groups
After you have enabled SCIM provisioning and assigned users and groups to Atlan in Azure AD, you can provision them to Atlan. In Azure AD, users and groups can be provisioned in two ways β provisioning cycle and on-demand provisioning.
To provision users and groups, within Azure AD:
- Log in to your Azure portal and search for and select Azure Active Directory.
- From the left menu under Manage, select Enterprise applications.
- From the All applications page, select the SAML application you created to configure SSO in Atlan.
- In the left menu of your application page, under Manage, click Provisioning and select a provisioning method:
- To enable provisioning cycle, in the upper left of the Overview page, click Start provisioning and toggle the Provisioning Status to On.
- To enable on-demand provisioning, from the left menu, click Provision on demand. To provision users or groups on demand:
- For Select a user or group, search for and select a user or group.
- At the bottom of the screen, click Provision. Repeat the steps for every user or group you want to provision.