Enable Okta for SSO
Configure SAML 2.0 single sign-on so your users sign in to Atlan with their existing Okta credentials. Setup moves metadata in both directions: you copy Atlan's service provider details into a new SAML app in Okta, then import Okta's identity provider metadata back into Atlan.
Start in Atlan, build and configure the app in Okta, then return to Atlan to finish. Group sync is optional and covered at the end.
Prerequisites
Before you begin, make sure you have:
- Admin access in Atlan. Only admins can configure SSO.
- Administrator access in Okta so you can create a SAML app and assign users.
- A decision on the default role new users receive on first sign-in (Admin, Member, or Guest). Set it in Set default role for SSO users. Most workspaces use Member.
Get Atlan's service provider details
Before setting up the app in Okta, get the values Atlan provides.
-
In your Atlan workspace, click Settings from the left menu.
If you are using the Old UI (Classic), from the left menu, click Admin.
-
Click SSO.
-
Click New, then select Okta as the provider.
-
Under Service provider metadata, copy both values: you'll paste them into Okta in the next step:
- Single sign on URL
- Audience URI (SP Entity ID)
Keep this tab open. You'll return here to finish setup.
Configure in Okta
All the app setup happens in the Okta admin console: create the application, collect the IdP metadata, and assign users.
Create SAML application
In the Okta admin console:
-
In the left menu, expand Applications and click Applications.
-
Click Create App Integration.
-
Select SAML 2.0 as the sign-in method, then click Next.
-
Under General Settings, enter a name for the app (for example,
Atlan), then click Next. -
Under Configure SAML, enter the values you copied from Atlan:
- Single sign-on URL: paste Atlan's Single sign on URL. Keep Use this for Recipient URL and Destination URL enabled.
- Audience URI (SP Entity ID): paste Atlan's Audience URI (SP Entity ID).
-
Under Attribute Statements (optional), add the following mappings. For each one, set the Name format to Basic, enter the Name on the left, and enter the Value on the right:
firstName→user.firstNamelastName→user.lastNameemail→user.email
infoFor users provisioned through SSO, the Atlan username comes from this mapping. If no username is mapped, Atlan uses the email prefix by default, which users can change when they first register.
-
(For group sync) Under Group Attribute Statements (optional), add one mapping so Okta sends each user's group membership to Atlan:
- Name:
memberOf - Name format: Unspecified
- Filter: Matches regex
[\s\S]+
This is required only if you plan to sync Okta groups to Atlan groups. For tighter filtering, see Okta's guidance on group attribute statements.
- Name:
-
Click Show Advanced Settings and configure assertion signing:
- Assertion Signature: set to Signed.
- Signature Algorithm: confirm it's set to RSA-SHA256.
- Digest Algorithm: confirm it's set to SHA256.
-
Click Next.
-
Under Help Okta Support understand how you configured this application, select I'm an Okta customer adding an internal app, then enable This is an internal app that we've created.
-
Click Finish.
Download identity provider metadata
Once the app is created, Okta opens its settings page. Grab the metadata from the Sign On tab:
-
On the app's page, open the Sign On tab.
-
Under SAML Signing Certificates, find the active certificate and click Actions in its row.
-
Click View IdP metadata. The metadata opens in a new tab.
-
Save the file as XML. If it displays as plain text, save the page as a
.xmlfile.
Assign users and groups
Only users assigned to the app in Okta can sign in to Atlan. Still on the app's page in Okta:
-
Open the Assignments tab.
-
Click Assign, then choose Assign to People or Assign to Groups.
-
Assign each user or group you want to give access to, confirm the details, and click Save and Go Back.
-
When you're done, click Done.
By default, any Okta user who can authenticate and reach Atlan is automatically given an account on first sign-in. Controlling assignments here is also how you prevent that: users not assigned to this app are rejected at sign-in and no Atlan account is created for them.
Connect Okta to Atlan
With the app configured in Okta, go back to Atlan to finish. Open your Atlan SSO settings (the Okta provider you started earlier) and:
-
Under Identity provider metadata, provide the metadata you downloaded from Okta one of two ways:
- Import from XML (recommended): click Import from XML and select the metadata file you saved from Okta.
- Enter manually: paste the SAML SSO URL and the x.509 certificate from Okta into their respective fields.
-
Click Save.
Your users can now sign in to Atlan with Okta. By default, they can still sign in with a local Atlan account too: to require Okta, enable Enforce SSO (see below).
Enforce SSO (optional)
Once Okta SSO works, you can disable local email-and-password sign-in so everyone authenticates through Okta:
-
In Atlan, go to Settings → SSO and open your Okta provider.
-
Enable Enforce SSO.
After enforcing SSO, have your Okta administrator manage access from Okta rather than inviting users directly in Atlan. Assigned users are provisioned automatically on their first sign-in.
Sync Okta groups to Atlan groups (optional)
Map Okta groups to Atlan groups so users land in the right teams automatically on every sign-in.
- Configure the
memberOfgroup attribute statement in Okta when you create the SAML app. Group sync won't work without it. - Create the Atlan groups you want to map to first: you can only map to groups that already exist.
-
In Atlan, go to Settings → SSO and open your Okta provider.
-
Switch to the Groups Mapping tab.
-
For each Atlan group, under the SSO Groups column, type the name of the matching Okta group (for example,
Data Engineering), then click Save on that row.
Group membership syncs every time a user signs in. If you rename a group in Okta, update the mapping in Atlan to match. For sync issues, see Troubleshooting SSO.
You can add a mapped group to a persona or purpose to auto-assign permissions as users sign in. To fully automate user and group lifecycle, configure SCIM provisioning in Okta.
Need help?
If users can't sign in or aren't landing in the right groups, see Troubleshooting SSO. Contact Atlan Support if the issue persists.
Next steps
Now that users can sign in through Okta, finish setting up access:
- Set default role for SSO users: Choose whether new users land as Member, Guest, or Admin.
- Restrict auto user creation: Limit sign-in to only the users your identity provider assigns.
- Configure SCIM provisioning: Automate the full user lifecycle (optional).