Troubleshooting SCIM provisioning

SCIM provisioning works in combination with your SSO setup in Atlan. Atlan currently supports SCIM provisioning for the following SSO providers:

What version of SCIM does Atlan use?

Atlan uses SCIM 2.0 for SCIM provisioning.

What information does Atlan sync from SSO providers?

Atlan syncs the user's first name, last name, username, email ID, group information, and user status through group mapping. The username and email ID are only synced once when the user is provisioned in Atlan for the first time.

What will happen if an SSO or Atlan group is renamed?

If SCIM provisioning is enabled and an SSO group that is mapped to Atlan is renamed, changes will sync automatically. Renaming an Atlan group does not affect SCIM functionality.

What happens if an SSO group is deleted?

If an SSO group is deleted in the SSO provider, then the group mapping will also be deleted in Atlan. The corresponding group in Atlan will remain active, but all the users will be removed from that group.

However, if you would like to retain the group membership for your users in Atlan, you can first delete the group mapping in Atlan and then delete your SSO group in the SSO provider.

What happens if a username already exists in Atlan?

If a user with the username user.name and email address xyz@example.com already exists in Atlan and another user with the same username user.name but different email address abc@example.com is to be added via SSO, it will create a conflict in Atlan. The existing user will remain in Atlan while the new SSO user will not be synced.

When does the SCIM token expire?

The SCIM token does not expire by default and can only be revoked if deleted.

Does SCIM provisioning work only after a provisioned user has logged into Atlan?

No, SCIM provisioning works as soon as the user has been provisioned from the SSO provider. For example, even if the user is yet to log into Atlan, the user profile can be updated or the user disabled in Atlan directly from the SSO provider.

If SCIM is enabled and a user has never logged into Atlan, the status of the user will be Enabled by default. Once the user has logged in, their last login activity will be displayed in the Last Active column.

Can I assign SCIM provisioned users as asset owners before their first login?

Yes, you can assign asset ownership to SCIM provisioned users even if they are yet to log into Atlan for the first time.

How can I manage users in Atlan?

Following are the detailed permissions for managing your users in Atlan:

Permission SCIM on (SSO enforced) SCIM on (SSO not enforced) SCIM off (SSO enforced) SCIM off (SSO not enforced)
Invite user from Atlan
Edit user profile in Atlan
Add users to Atlan groups ✅ Only for unmapped groups ✅ Only for unmapped groups
Enable or disable users in Atlan

Related articles

Was this article helpful?
0 out of 0 found this helpful