Atlan currently supports SCIM provisioning for the following SSO providers:
What information does Atlan sync from SSO providers?
Atlan syncs the user's first name, last name, username, email ID, group information, and user status through group mapping. The username and email ID are only synced once when the user is provisioned in Atlan for the first time.
Can I change the username of a provisioned user in Atlan?
No, once you have integrated SCIM in Atlan, the usernames of provisioned users will be dependent on your SCIM provider. For example, if a username has changed due to an automation at source or in the case of a migration from one provider to another, you will not be able to update usernames in Atlan.
Usernames in Atlan are of a permanent nature. Atlan uses usernames as a unique identifier across the platform and does not support making any changes to them. Ensure that your username in the SCIM provider matches that in Atlan.
What will happen if an SSO or Atlan group is renamed?
If SCIM provisioning is enabled and an SSO group that is mapped to Atlan is renamed, changes will sync automatically. Renaming an Atlan group does not affect SCIM functionality.
What happens if an SSO group is deleted?
If an SSO group is deleted in the SSO provider, then the group mapping will also be deleted in Atlan. The corresponding group in Atlan will remain active, but all the users will be removed from that group.
However, if you would like to retain the group membership for your users in Atlan, you can first delete the group mapping in Atlan and then delete your SSO group in the SSO provider.
What happens if a user is deleted from the SSO provider?
If users are removed from your SSO provider, then the same users will also be deactivated in Atlan. Their status will be displayed as Disabled. To permanently delete them from Atlan, you can remove the users and transfer ownership of assets.
What happens if a username already exists in Atlan?
If a user with the username user.name and email address xyz@example.com already exists in Atlan and another user with the same username user.name but different email address abc@example.com is to be added via SSO, it will create a conflict in Atlan. The existing user will remain in Atlan while the new SSO user will not be synced.
When does the SCIM token expire?
The SCIM token does not expire by default and can only be revoked if deleted.
Can user removal affect the SCIM tokens that user created?
Yes, user removal will also result in the deletion of any SCIM tokens created by that user. To learn more about the impact of user removal, see Troubleshooting user management.
Does SCIM provisioning work only after a provisioned user has logged into Atlan?
No, SCIM provisioning works as soon as the user has been provisioned from the SSO provider. For example, even if the user is yet to log into Atlan, the user profile can be updated or the user disabled in Atlan directly from the SSO provider.
If SCIM is enabled and a user has never logged into Atlan, the status of the user will be Enabled by default. Once the user has logged in, their last login activity will be displayed in the Last Active column.
Can I assign SCIM provisioned users as asset owners before their first login?
Yes, you can assign asset ownership to SCIM provisioned users even if they are yet to log into Atlan for the first time.
How can I manage users in Atlan?
Following are the detailed permissions for managing your users in Atlan:
| Permission | SCIM on (SSO enforced) | SCIM on (SSO not enforced) | SCIM off (SSO enforced) | SCIM off (SSO not enforced) |
|---|---|---|---|---|
| Invite user from Atlan | β | β | β | β |
| Edit user profile in Atlan | β | β | β | β |
| Add users to Atlan groups | β Only for unmapped groups | β Only for unmapped groups | β | β |
| Enable or disable users in Atlan | β | β | β | β |