Do I need SCIM?
SCIM (System for Cross-domain Identity Management) is an optional layer that works on top of your existing SSO setup to automate the full lifecycle of users and groups between your identity provider (Azure AD or Okta) and Atlan.
This page explains what user management looks like with and without SCIM, so you can decide whether enabling it's right for your organization.
Without SCIM—SSO with Just-in-Time (JIT) provisioning
When SCIM isn't enabled, Atlan uses Just-in-Time (JIT) provisioning. Users are created in Atlan automatically the first time they log in via SSO.
| Lifecycle event | What happens |
|---|---|
| New user onboarding | User is created in Atlan only on their first SSO login—no pre-creation is possible |
| Profile attributes | First name, last name, and group membership are synced once at first login only—subsequent changes in the IdP aren't reflected in Atlan automatically |
| Group assignment | Groups are mapped at login via SSO group claims—changes in group membership only reflect in Atlan at the user's next login |
| User deprovisioning / offboarding | When a user is removed from the IdP, their Atlan account remains active—an Atlan admin must manually disable it |
| Asset ownership pre-login | Can't assign users as asset owners until they've logged in at least once |
| Admin overhead | High—every onboarding, offboarding, profile update, and group change requires manual action in Atlan |
This is a workable starting point for smaller rollouts, but becomes operationally heavy as user count grows.
With SCIM enabled—automated provisioning
When SCIM is configured, your identity provider (Azure AD or Okta) drives the full user lifecycle in Atlan automatically.
| Lifecycle event | What happens |
|---|---|
| New user onboarding | Users are automatically created in Atlan via the IdP's provisioning cycle (every ~40 minutes for Azure AD, or instantly for Okta)—before they ever log in |
| Profile attributes | First name, last name, email, username, and group info are synced at provisioning time and kept up to date through ongoing sync cycles |
| Group assignment | Group memberships are automatically managed by the IdP—Atlan groups mapped to IdP groups are SCIM-managed and no longer require manual user additions |
| User deprovisioning / offboarding | When a user is removed or disabled in the IdP, they're automatically deactivated in Atlan on the next sync—no manual admin action needed |
| Asset ownership pre-login | SCIM-provisioned users can be assigned as asset owners before their first login—useful for migration and governance workflows |
| Admin overhead | Low—the IdP becomes the single source of truth; Atlan admin effort is limited to workspace-level settings and non-SCIM group management |
Key considerations before enabling SCIM
| Consideration | Detail |
|---|---|
| Setup effort | Requires coordination between your Atlan admin (SCIM token generation) and your IdP admin (provisioning configuration, attribute mapping) |
| Username is permanent | Once a user is provisioned via SCIM, their username can't be changed in Atlan—identity mappings must be decided correctly upfront |
| Sync isn't always instant | Azure AD's default provisioning cycle runs every ~40 minutes; on-demand provisioning is available but must be triggered manually |
| Azure licensing | SCIM provisioning through Entra ID may require an appropriate Microsoft Entra ID license tier (P1 or P2) |
| Admin controls shift | Once SCIM is on, inviting users, editing SCIM user profiles, and enabling/disabling SCIM users from within Atlan are controlled by the IdP—not from within Atlan directly |
| Pre-SCIM users | Users created in Atlan before SCIM was enabled (via JIT or manual invite) may cause identity conflicts during the first SCIM sync if their username format differs—plan your migration carefully |
Can I start with SSO and add SCIM later?
Yes. SSO and SCIM are independent setup steps. You can start with SSO-only and enable SCIM at any point later. However, if users have already been created in Atlan via JIT provisioning before you enable SCIM, verify their username format in Atlan matches what your IdP sends via SCIM—mismatches can cause provisioning conflicts.