Troubleshooting IdP group sync
Common issues you might run into when syncing groups from your identity provider into Atlan, and what to check first. For the setup steps, see Sync groups from your IdP.
Groups not syncing at all
Atlan claims groups are not configured, or no groups appear after enabling sync.
Cause
The memberOf claim (or equivalent groups claim) is missing from the token your IdP sends. Without it, Atlan has nothing to map.
Solution
- Open your IdP's app configuration for the Atlan integration.
- Confirm the groups claim is included in the token. Depending on your provider this claim may be named
groups,memberOf, or something provider-specific. - Confirm the scope that authorizes the groups claim (
groups,profile, or a custom scope) is listed as a requested scope on the Atlan app. - Save your changes in the IdP, then ask a user to sign out and sign back in to test.
Wrong group members
A user appears in a group they should not be in, or is missing from a group they should belong to.
Cause
Either the IdP-to-Atlan group mapping contains a typo or stale group name, or the user's actual IdP group membership does not match what you expect.
Solution
- In Atlan, go to Settings → Groups → Sync Groups and review each mapping. Check for typos, extra spaces, or outdated IdP group names.
- In your IdP's admin console, look up the user and verify which groups they actually belong to at the source.
- Correct any mismatches in the mapping or in the IdP, then ask the user to sign out and sign back in.
Sync not picking up recent changes
A user's group membership was updated in the IdP, but their Atlan group membership has not changed.
Cause
Sync is login-triggered, not real-time. Atlan reads the groups claim only when a user authenticates. Changes made in the IdP after the user's last sign-in are not reflected until the next sign-in.
Solution
Ask the user to sign out of Atlan and sign back in. The next sign-in reads the latest groups claim from the IdP and reconciles their Atlan group membership.
Users show up in multiple groups
This is expected behavior, not a bug. If a user belongs to multiple IdP groups that are each mapped to a different Atlan group, they belong to all matching Atlan groups at the same time. Group memberships are additive.
Role not updated after the User Role Sync workflow runs
The Atlan Group to User Role Sync workflow completes successfully, but a user keeps their old role (for example, they stay Guest instead of becoming a Member or Admin).
Cause
Roles are applied from group membership, and group membership is read on sign-in. A successful run does not change a user who has not signed in since the run, or whose identity provider is not emitting the group claim the mapping relies on. The standard sync also maps only the built-in roles (Admin, Member, Guest); custom roles are not covered.
Solution
- Confirm the user's identity provider emits the group or
memberOfclaim that the role mapping relies on. - Ask the user to sign out and sign back in, then re-run the workflow. Role changes apply on the next sign-in after the run.
- For a custom role, such as a BAU Admin, assign it separately. The Atlan Group to User Role Sync workflow does not manage custom roles.
Need help?
If sync still isn't behaving the way you expect after checking the above, contact Atlan Support with the user's IdP group membership, the Atlan group mapping, and the time of their last sign-in.