Troubleshooting SCIM provisioning
Atlan currently supports SCIM provisioning for the following SSO providers:
What information does Atlan sync from SSO providers?
Atlan syncs the user's first name, last name, username, email ID, group information, and user status through group mapping. The username and email ID are synced only once when the user is provisioned in Atlan for the first time.
Can I change the username of a provisioned user in Atlan?
No, once you have integrated SCIM in Atlan, the usernames of provisioned users are dependent on your SCIM provider. For example, if a username has changed due to an automation at source or in the case of a migration from one provider to another, you can't update usernames in Atlan.
Usernames in Atlan are of a permanent nature. Atlan uses usernames as a unique identifier across the platform and doesn't support making any changes to them. Verify that your username in the SCIM provider matches that in Atlan.
Why are some users missing from SCIM-mapped groups?
If users existed in Atlan before you enabled SCIM, their usernames may not match the format your SSO provider sends through SCIM. This typically happens when pre-SCIM users were invited with the email prefix as their username (for example, amorris), but your SSO provider sends the full email address as the SCIM userName (for example, amorris@yourcompany.com). Because Atlan matches the incoming SCIM userName with the existing Atlan username exactly, the lookup returns no match and the user is omitted from the group's member list.
SCIM doesn't raise an error for unmatched users during group sync. The sync completes successfully even when some members are skipped, so the mismatch can go unnoticed until you compare expected and actual group membership.
To identify affected users, go to Admin > Users and compare the Username column with the format your SSO provider sends as userName (typically the full email address). Note any users whose Atlan username is the email prefix or otherwise differs from the SCIM userName.
Because usernames in Atlan are immutable, resolving this mismatch requires Atlan support to run a one-time backend update that aligns each affected username with the format your SSO provider sends. To request the update, contact Atlan support with the list of affected users. Provide each pair as oldUsername and newUsername, for example:
[
{ "oldUsername": "amorris", "newUsername": "amorris@yourcompany.com" },
{ "oldUsername": "joleson", "newUsername": "joleson@yourcompany.com" }
]
The update preserves asset ownership, group membership, personas, and policies for affected users. However, audit log entries created before the update retain the old username, and any user-typed custom metadata that references the old username isn't rewritten. After Atlan support completes the update, the next SCIM sync from your SSO provider matches the affected users and adds them to their mapped groups.
What happens if SSO or Atlan group is renamed?
If SCIM provisioning is enabled and an SSO group that's mapped to Atlan is renamed, changes sync automatically. Renaming an Atlan group doesn't affect SCIM functionality.
What happens if an SSO group is deleted?
If an SSO group is deleted in the SSO provider, then the group mapping is also deleted in Atlan. The corresponding group in Atlan remains active, but all the users are removed from that group.
However, if you'd like to retain the group membership for your users in Atlan, you can first delete the group mapping in Atlan and then delete your SSO group in the SSO provider.
What happens if a user is deleted from the SSO provider?
If users are removed from your SSO provider, then the same users are also deactivated in Atlan. Their status is displayed as Disabled. To permanently delete them from Atlan, you can remove the users and transfer ownership of assets.
What happens if a username already exists in Atlan?
If a user with the username user.name and email address xyz@example.com already exists in Atlan and another user with the same username user.name but different email address abc@example.com is to be added via SSO, it creates a conflict in Atlan. The existing user remains in Atlan while the new SSO user isn't synced.
When does the SCIM token expire?
The SCIM token doesn't expire by default and can only be revoked if deleted.
Can user removal affect the SCIM tokens that user created?
Yes, user removal also results in the deletion of any SCIM tokens created by that user. For more guidance, see the User management FAQ.
Does SCIM provisioning work only after a provisioned user has logged into Atlan?
No, SCIM provisioning works as soon as the user has been provisioned from the SSO provider. For example, even if the user is yet to log into Atlan, the user profile can be updated or the user disabled in Atlan directly from the SSO provider.
If SCIM is enabled and a user has never logged into Atlan, the status of the user is Enabled by default. Once the user has logged in, their last login activity is displayed in the Last Active column.
Can I assign SCIM provisioned users as asset owners before their first login?
Yes, you can assign asset ownership to SCIM provisioned users even if they're yet to log into Atlan for the first time.
How can I manage users in Atlan?
Following are the detailed permissions for managing your users in Atlan:
| Permission | SCIM on (SSO enforced) | SCIM on (SSO not enforced) | SCIM off (SSO enforced) | SCIM off (SSO not enforced) |
|---|---|---|---|---|
| Invite user from Atlan | ❌ | ✅ | ❌ | ✅ |
| Edit user profile in Atlan | ❌ | ✅ | ✅ | ✅ |
| Add users to Atlan groups | ✅ Only for unmapped groups | ✅ Only for unmapped groups | ✅ | ✅ |
| Enable or disable users in Atlan | ❌ | ❌ | ✅ | ✅ |