Sync groups from your identity provider

||Connect docs via MCP

Map your identity provider's groups to Atlan groups so each user's membership updates automatically on every sign-in. When a user signs in via SSO, Atlan reads the group names from the SAML assertion (via the memberOf attribute you configured in your IdP), looks up the matching Atlan group, and updates that user's membership in the same session.

This means onboarding, team transfers, and offboarding all flow through one source of truth: your IdP. No manual group edits in Atlan needed.

Prerequisites

Before you configure group sync, make sure:

• You are an admin in Atlan.
• SSO is configured for your workspace. If not, see Set up authentication first.
• Your SSO provider is configured to send the memberOf group attribute in the SAML assertion. Each provider's setup guide includes this step:
  • Okta: Group Attribute Statements with memberOf.
  • Azure AD / Entra: Group claims with custom name memberOf.
  • Google: Group membership attribute memberOf.
  • JumpCloud, OneLogin, SAML 2.0: See the respective SSO provider guide.
• The Atlan groups you want to sync to already exist. See Organize teams in groups if you need to create them first.

Map IdP groups to Atlan groups

Group mapping is configured per SSO provider in your Atlan SSO settings.

1. In your Atlan workspace, click Settings from the left menu.

   If you are using the Old UI (Classic), from the left menu, click Admin.

2. Click SSO, then open the SSO provider you want to configure group sync for.

3. Switch to the Groups Mapping tab.

4. For each Atlan group you want to sync, under the SSO Groups column, type the name of the corresponding group in your IdP exactly as it appears in the memberOf claim. For example:

   Atlan group	IdP group name to enter
   Engineering	engineering@acme.com
   Marketing	marketing-team
   Data Platform	data-platform

5. Click Save on each row after entering the IdP group name.

From this point on, every time a user signs in via SSO, Atlan updates their group membership to match what your IdP sends. Additions, removals, and transfers all happen automatically. If you have multiple SSO providers configured, repeat this for each one.

info

If a user's IdP group name changes (for example, a Slack group is renamed), update the mapping in Atlan to match. The old mapping silently stops working.

How sync works

• Trigger: every SSO sign-in, not a background job.
• Scope: only groups that have a mapping defined. Unmapped IdP groups are ignored.
• Multiple groups: a user in multiple mapped IdP groups belongs to all corresponding Atlan groups simultaneously.
• Removals: if a user's IdP group is removed, they lose the Atlan group on their next sign-in.
• Group deletion: Atlan does not automatically delete Atlan groups. Groups with no members remain until an admin deletes them manually.

Need help?

If group sync isn't working as expected, see Troubleshooting IdP group sync for common issues. Contact Atlan Support if the problem persists.

See also

• What are groups?: How groups fit into Atlan's access control model.
• Organize teams in groups: Create and manage groups manually.
• Provision groups by designation: Assign groups based on job title instead of IdP groups.
• SCIM provisioning: A more robust alternative that syncs users and groups in the background, not just on sign-in.
• Troubleshooting IdP group sync