➕ Premium feature! This feature will be a paid addition. Reach out to your customer success manager for more information.
You can automate the process of provisioning and deprovisioning your Okta users and groups in Atlan with System for Cross-domain Identity Management (SCIM).
To enable Okta for SCIM provisioning, complete the following steps.
💪 Did you know? For any questions about SCIM provisioning, head over here.
Prerequisites
- Okta SSO must be enabled for Atlan.
- Okta users must be assigned to Atlan.
- Group mapping must be configured, only required if syncing mapped groups from Okta to Atlan.
Retrieve SCIM token in Atlan
🤓 Who can do this? You will need your Atlan admin to complete these steps — you may not have access yourself. You will also need inputs and approval from your Okta administrator.
You will need to generate a SCIM token in Atlan for authentication in Okta.
To retrieve the SCIM token, from within Atlan:
- From the left menu on any screen, click Admin.
- Under the Workspace heading, click SSO.
- On the Single Sign on page for Okta, under Overview, navigate to Automate Provisioning with SCIM and toggle it on.
- Under SCIM token, click the + Generate token button to create a SCIM token.
- In the SCIM token generated dialog, click the Copy button to copy the SCIM token and store it in a secure location.
🚨 Careful! The SCIM token will only be displayed once after it has been generated, you cannot retrieve it later.
Enable SCIM provisioning in Okta
🤓 Who can do this? You will need your Okta administrator to complete these steps — you may not have access yourself. You will also need inputs and approval from your Atlan admin.
You can enable SCIM provisioning in Okta to automatically sync your users and groups to Atlan.
Configure SCIM provisioning in Okta
To configure SCIM provisioning, from within Okta:
- Log in to your Okta admin console.
- From the menu on the left, expand the Applications menu and then click Applications.
- Under Applications, select the SAML application you created to configure SSO in Atlan.
- From the tabs along the top of your application page, click the General tab and then click Edit.
- Under App Settings, for Provisioning, click SCIM and then click Save to confirm.
- From the tabs along the top of your application page, click the Provisioning tab and then click Edit.
- For SCIM connection, enter the following details:
- For SCIM connector base URL, enter your Atlan tenant URL in the following format —
https://<your-tenant-dns>/api/service/scim/
. - For Unique identifier field for users, enter
userName
as the field name of the unique identifier for your users on your SCIM server. - For Supported provisioning actions, click to enable the following provisioning actions:
- Import New Users and Profile Updates — this allows Okta to import new users and user profile updates to Atlan.
- Push New Users — this allows user information to flow from Okta to Atlan.
- Push Profile Updates — this allows profile information to flow from Okta to Atlan.
- Push Groups — this allows group information to flow from Okta to Atlan.
- Import Groups — this allows Okta to import new groups and group profile updates to Atlan.
- For Authentication Mode, click the dropdown and then select HTTP Header.
- To authenticate using HTTP Header, you will need to provide a bearer token that will provide authorization against Atlan. For Authorization, in the Token field, enter the SCIM token you copied in Atlan.
- Click the Test Connector Configuration button to confirm connectivity to Atlan.
- Once successful, at the bottom of the form, click Save to save the configuration.
- For SCIM connector base URL, enter your Atlan tenant URL in the following format —
- Under the left Settings menu of the Provisioning tab, two new tabs will appear — To App and To Okta. Click To App to configure settings for SCIM provisioning to Atlan.
- For Provisioning to App page, click Edit and then click to enable the following:
- Create Users — assigns a new Atlan account to each user managed by Okta. Okta does not create a new account if it detects that the username specified in Okta already exists in Atlan. The user's Okta username is assigned by default.
- Update User Attributes — updates the user profiles of users assigned to Atlan. Profile changes made in Atlan will be overwritten with their respective Okta profile values.
- Deactivate Users — automatically deactivates user accounts when they are unassigned in Okta or their Okta accounts are deactivated. Okta will also reactivate the Atlan account if the app integration is reassigned to a user in Okta.
- Click Save to save the configuration.
Map Okta user attributes to Atlan
🚨 Careful! You will need to assign users to Atlan from Okta before you can provision them.
After you have enabled SCIM provisioning and assigned users to Atlan in Okta, you can provision them to Atlan. Note the following:
- The username and email address of new and existing users cannot be changed once users have been provisioned to Atlan.
- If provisioning any users that already exist in Atlan, ensure that their Okta credentials match the existing credentials in Atlan for provisioning to be successful.
To provision users to Atlan, from within Okta:
- Log in to your Okta admin console.
- From the menu on the left, expand the Directory menu and then click Profile Editor.
- On the Profile Editor page, in the left menu under Users, click Apps and select the SAML application you created to configure SSO in Atlan.
- On your application page, under Attributes, click Mappings.
- In the User Profile Mappings dialog box, click Okta User to App.
- In the Okta User to App page,
userName
is already set by Atlan. Define the following mappings from Okta on the left to Atlan on the right:-
user.firstName
—>givenName
-
user.lastName
—>familyName
-
user.email
—>email
-
- Click Save to save your selections.
- Once saved, at the bottom of the dialog, click Apply updates now.
- (Optional) Navigate to the Provisioning tab of the SAML application you created to configure SSO in Atlan to confirm the attribute mappings.
Enable group push in Okta to Atlan
🚨 Careful! You will need to configure group mapping in Atlan before you can enable group push from Okta to Atlan.
To enable group push to Atlan, from within Okta:
- Log in to your Okta admin console.
- From the menu on the left, expand the Applications menu and then click Applications.
- Under Applications, select the SAML application you created to configure SSO in Atlan.
- From the tabs along the top of your application page, click the Push Groups tab and then click Edit.
- Under Push Groups to App, click the settings icon. From the Group Push Settings dialog, click Rename app groups to match group name in Okta and then click Save to rename groups in Atlan when linking groups.
- Under Push Groups to App, click the Push Groups button and then select Find groups by name to push your Okta groups to Atlan:
- For Push groups by name, in the Enter a group to push... field, enter the name of an Okta group you want to push to Atlan.
- To the right of your selected Okta group, under Match result & push action, click the Create Group dropdown and then select Link Group.
- Click Save to save your selections.
- (Optional) Repeat steps 1 to 3 to push additional Okta groups to Atlan.