Sync roles from your identity provider

||Connect docs via MCP

Role sync keeps each user's Atlan role aligned with your identity provider by reading role or group claims from the OIDC or SAML response on every sign-in. When a user authenticates via SSO, Atlan reads the configured claim, looks up the matching role in your mapping, and updates the user's role in the same session.

This eliminates manual role management: promotions, role changes, and offboarding all flow through your IdP as the single source of truth.

Prerequisites

• You are an admin in Atlan.
• SSO is already configured. If not, see Set up authentication first.
• Your identity provider is sending a claim that contains role information. This could be a roles claim, a groups claim, or a custom attribute. Confirm the claim is included in your IdP's OIDC or SAML scopes.

Configure role sync

Select your protocol below.

OIDC (Okta, Azure AD, Google)

1. In your Atlan workspace, click Settings from the left menu.

   If you are using the Old UI (Classic), from the left menu, click Admin.

2. Click SSO, then open your OIDC provider.

3. Find the Role Mapping section and enable role sync.

4. Set the claim name that contains the role information:

   • groups: if you want to map IdP groups to Atlan roles.
   • roles: if your IdP sends a dedicated role claim.
   • A custom attribute name (for example, atlan_role in Azure AD).

5. Define the mapping from claim values to Atlan roles. For example:

   Okta (groups claim):

   Okta group	Atlan role
   atlan-admins	Admin
   atlan-members	Member
   atlan-guests	Guest

   Azure AD (custom atlan_role attribute):

   Azure AD attribute value	Atlan role
   admin	Admin
   member	Member
   guest	Guest

6. Click Save.

SAML (Okta, Azure AD, PingFederate, others)

1. In your Atlan workspace, click Settings from the left menu.

   If you are using the Old UI (Classic), from the left menu, click Admin.

2. Click SSO, then open your SAML provider.

3. Find the Role Mapping section and enable role sync.

4. Set the SAML attribute name that carries the role information. Common options:

   • Role: a dedicated SAML attribute for role assignment.
   • memberOf: the groups attribute, if you want group-based role mapping.

5. Define the mapping from SAML attribute values to Atlan roles. For example:

   SAML attribute value	Atlan role
   admin	Admin
   member	Member
   guest	Guest

6. Click Save.

How role sync works

• Role sync runs on every sign-in. Atlan reads the latest claim and updates the user's role in the same session.
• Manual role changes made in Atlan are overwritten on the next sign-in if role sync is active. To preserve a manual change, disable role sync or update the mapping to match.
• Role sync only assigns the primary role (Admin, Member, Guest). Sub-roles (Governance Admin, Workflow Admin) are assigned through Assign admin sub-roles or the group-based role assignment app.
• For users who have not signed in recently, role sync does not apply until their next login.

Need help?

If users are landing with the wrong role, check what claim value your IdP is actually sending (look at the IdP's sign-in logs) and verify the mapping in Atlan matches exactly. Contact Atlan Support if the issue persists.

See also

• Assign roles (overview)
• Assign admin sub-roles: Assign Governance Admin or Workflow Admin sub-roles manually.
• Assign roles by group name: Role assignment driven by Atlan group membership.
• Set up authentication: The full SSO and authentication overview.