You can automate the process of provisioning and deprovisioning your Azure Active Directory (AD) users and groups in Atlan with System for Cross-domain Identity Management (SCIM).
To enable Azure AD for SCIM provisioning, complete the following steps.
Prerequisites
- Azure AD SSO must be enabled for Atlan.
- Azure AD users or groups must be assigned to Atlan.
- Group mapping must be configured, only required if syncing mapped groups from Azure AD to Atlan. For any new groups created in Azure AD, you will first need to map the groups in Atlan to sync them through SCIM provisioning.
Retrieve SCIM token in Atlan
Β You will need to generate a SCIM token in Atlan for authentication in Azure AD.
To retrieve the SCIM token, within Atlan:
- From the left menu on any screen, click Admin.
- Under the Workspace heading, click SSO.
- On the Single Sign on page for Azure AD, under Overview, navigate to Automate Provisioning with SCIM and toggle it on.
- Under SCIM token, click the + Generate token button to create a SCIM token.
- In the SCIM token generated dialog, click the Copy button to copy the SCIM token and store it in a secure location.
Enable SCIM provisioning in Azure AD
You can enable SCIM provisioning in Azure AD to automatically sync your users and groups to Atlan.
Configure SCIM provisioning in Azure AD
To configure SCIM provisioning, within Azure AD:
- Log in to your Azure portal and search for and select Azure Active Directory.
- From the left menu under Manage, select Enterprise applications.
- From the All applications page, select the SAML application you created to configure SSO in Atlan.
- In the left menu of your application page,Β under Manage, click Provisioning.
- From the Provisioning mode dropdown, click Automatic.
- Under Admin credentials, enter the following details:
- For Tenant URL, enter your Atlan tenant URL in the following format β
https://<your-tenant-dns>/api/service/scim
. - For Secret Token, enter the SCIM token you copied in Atlan.
- Click the Test connection button to confirm connectivity to Atlan.
- For Tenant URL, enter your Atlan tenant URL in the following format β
- When successful, in the top right, click Save to save the configuration.
- In the Mappings section, verify that Provision Azure Active Directory Groups and Provision Azure Active Directory Users are enabled. Under Mappings:
- Click Provision Azure Active Directory Groups, and under Attribute Mappings, define the following mappings from Azure AD on the left to Atlan on the right:
-
displayName
β>displayName
β Note that this field is currently unsupported in Atlan. -
objectId
β>externalId
-
members
β>members
-
- Click Provision Azure Active Directory Users, and under Attribute Mappings, define the following mappings from Azure AD on the left to Atlan on the right:
-
mailNickname
β>userName
β If the username is not mapped, the default username will be theUserPrincipalName
(UPN). -
Switch([IsSoftDeleted], , "False", "True", "True", "False")
β>active
-
displayName
β>displayName
-
mail
β>emails[type eq "work"].value
-
givenName
β>name.givenName
-
surname
β>name.familyName
-
objectId
β>externalId
-
- To save any changes, click Save.
- Click Provision Azure Active Directory Groups, and under Attribute Mappings, define the following mappings from Azure AD on the left to Atlan on the right:
Provision users and groups
After you have enabled SCIM provisioning and assigned users and groups to Atlan in Azure AD, you can provision them to Atlan. In Azure AD, users and groups can be provisioned in two ways β provisioning cycle and on-demand provisioning.
Note the following:
- The username and email address of new and existing users cannot be changed once users have been provisioned to Atlan.
- If provisioning any users that already exist in Atlan, ensure that their Azure AD credentials match the existing credentials in Atlan for provisioning to be successful.
To provision users and groups, within Azure AD:
- Log in to your Azure portal and search for and select Azure Active Directory.
- From the left menu under Manage, select Enterprise applications.
- From the All applications page, select the SAML application you created to configure SSO in Atlan.
- In the left menu of your application page,Β under Manage, click Provisioning and select a provisioning method:
- To enable provisioning cycle, in the upper left of the Overview page, click Start provisioning and toggle the Provisioning Status to On.
- To enable on-demand provisioning, from the left menu, click Provision on demand. To provision users or groups on demand:
- For Select a user or group, search for and select a user or group.
- At the bottom of the screen, click Provision. Repeat the steps for every user or group you want to provision.
Once you have enabled SCIM provisioning, Azure AD will automatically provision and update user accounts in Atlan. However, the sync typically happens every 40 minutes. So, it may take up to 40 minutes for user provisioning to be completed in Atlan.