SSO frequently asked questions
Answers to frequently asked questions about SSO configuration and user management in Atlan.
Does Atlan support Microsoft SSO (Azure AD / Entra)?
Yes. Atlan supports SAML 2.0 single sign-on with Microsoft Entra ID (Azure AD). See Enable Azure AD for SSO for the full setup guide.
Can Atlan integrate with multiple Azure AD tenants in a single instance?
Atlan can currently connect to only one Azure AD tenant per instance. If your organization spans multiple tenants, contact Atlan Support with details about your setup so the team can understand your requirements.
What user provisioning methods does Atlan support for SSO?
Atlan supports two provisioning approaches:
- Just-in-time (JIT) provisioning: a user profile is created in Atlan automatically the first time the user signs in via SSO. Group memberships and roles are assigned on every login based on your SSO group mapping configuration.
- SCIM provisioning: your identity provider drives the full user lifecycle: provisioning, attribute sync, group updates, and deprovisioning in the background. Supported providers: Azure AD and Okta.
When a user is deprovisioned in the SSO provider they can no longer sign in. Their Atlan profile is not deleted automatically, so you also need to disable the user in Atlan.
Why did my users not receive an invite email from Atlan?
Check two things:
- The email may have been routed to the user's spam or junk folder.
- If SSO is configured, invite emails from Atlan are not required. Users are provisioned automatically on their first SSO login. You do not need to send invitations via the Atlan UI when SSO is active. Direct users to your Atlan workspace URL and they sign in through their identity provider.
When does Atlan become a personal data processor or subprocessor?
Atlan personnel do not have access to any customer instance unless the customer explicitly grants it. If a customer instance contains personal data and Atlan personnel are granted access, Atlan may act as a personal data processor.
Depending on whether the customer acts as a data controller or processor, Atlan acts as a processor or subprocessor respectively.
Where customers intend to crawl personal data into the platform, Atlan enters into a data protection agreement, which may include:
- Standard Contractual Clauses (SCC) under EU GDPR
- International Data Transfer Agreement (IDTA) under UK GDPR
- HIPAA Business Associate Agreement (BAA) when handling personal health information governed by HIPAA
See also
- Set up authentication: Full SSO and SCIM setup overview.
- Enable Azure AD for SSO
- SCIM provisioning overview
- Troubleshooting SSO sign-in