Skip to main content

Enable OneLogin for SSO

Connect docs via MCP

Configure SAML 2.0 single sign-on so your users sign in to Atlan with their existing OneLogin credentials. Setup moves metadata in both directions: you copy Atlan's service provider details into a new SAML app in OneLogin, then import OneLogin's identity provider metadata back into Atlan.

Start in Atlan, build and configure the app in OneLogin, then return to Atlan to finish. Group sync is optional and covered at the end.

Prerequisites

Before you begin, make sure you have:

  • Admin access in Atlan. Only admins can configure SSO.
  • Administrator access in OneLogin so you can create a SAML application and assign users.
  • A decision on the default role new users receive on first sign-in (Admin, Member, or Guest). Set it in Set default role for SSO users. Most workspaces use Member.

Get Atlan's service provider details

Before setting up the app in OneLogin, get the values Atlan provides.

  1. In your Atlan workspace, click Settings from the left menu.

    If you are using the Old UI (Classic), from the left menu, click Admin.

  2. Click SSO.

  3. Click New, then select OneLogin as the provider.

  4. Under Service provider metadata, copy all four values: you'll paste them into OneLogin in the next step:

    • Audience (EntityID)
    • Recipient
    • ACS (Consumer) URL Validator
    • ACS (Consumer) URL

Keep this tab open. You'll return here to finish setup.

Configure in OneLogin

All the app setup happens in the OneLogin admin console: create the application, configure SAML settings and attribute mappings, and collect the IdP metadata.

Create SAML application

In the OneLogin admin console:

  1. From the top menu, navigate to Applications, then click Applications.

  2. In the upper right, click Add App.

  3. In the search box, enter SAML Custom Connector (Advanced) and select it from the results.

  4. Under Display Name, enter a name for the app (for example, Atlan), then click Save.

  5. Open the Configuration tab. Under Application details, enter the values you copied from Atlan:

    • Audience (EntityID): paste Atlan's Audience (EntityID).
    • Recipient: paste Atlan's Recipient.
    • ACS (Consumer) URL Validator: paste Atlan's ACS (Consumer) URL Validator.
    • ACS (Consumer) URL: paste Atlan's ACS (Consumer) URL.
    • Login URL: paste the same value used for ACS (Consumer) URL.
  6. Open the SSO tab and configure the following:

  • SAML Signature Algorithm: set to SHA-512.
    • SAML signature element: set to Assertion or Both. Don't use Response alone—Atlan requires the assertion itself to be signed.
    • Under Login Hint, ensure Enable login hint is checked.
  1. Open the Parameters tab and use the + icon to add the following attribute mappings. For each one, enter the field name on the left and select the OneLogin attribute on the right:

    • email → Email
    • firstName → First Name
    • lastName → Last Name
    info

    For users provisioned through SSO, the Atlan username comes from this mapping. If no username is mapped, Atlan uses the email prefix by default, which users can change when they first register.

  2. Click Save.

Download identity provider metadata

Once the app is saved, download the metadata that Atlan needs:

  1. On the app's page in OneLogin, click More Actions in the upper right.

  2. Click SAML Metadata to download the XML file.

Assign users

Only users assigned to the app in OneLogin can sign in to Atlan. You can assign users individually or by role:

  1. In OneLogin, go to Users → All Users to find individual users, or open the app's Access tab to assign by role.

  2. Add each user or role you want to give access to Atlan.

Connect OneLogin to Atlan

With the app configured in OneLogin, go back to Atlan to finish. Open your Atlan SSO settings (the OneLogin provider you started earlier) and:

  1. Under Identity provider metadata, click Import from XML and select the metadata file you downloaded from OneLogin.

  2. Click Save.

Your users can now sign in to Atlan with OneLogin. By default, they can still sign in with a local Atlan account too: to require OneLogin, enable Enforce SSO (see below).

Enforce SSO (optional)

Once OneLogin SSO works, you can disable local email-and-password sign-in so everyone authenticates through OneLogin:

  1. In Atlan, go to Settings → SSO and open your OneLogin provider.

  2. Enable Enforce SSO.

After enforcing SSO, have your OneLogin administrator manage access from OneLogin rather than inviting users directly in Atlan. Assigned users are provisioned automatically on their first sign-in.

Sync OneLogin groups to Atlan groups (optional)

Map OneLogin groups to Atlan groups so users land in the right teams automatically on every sign-in. OneLogin requires a few extra steps compared to other providers: you create Mappings to populate a memberOf attribute, add that attribute to the SAML app, then map group names in Atlan.

Before you start
  • Create the Atlan groups you want to map to first: you can only map to groups that already exist.
  • Group sync requires completing all three parts below. Skipping the OneLogin Mappings or the memberOf parameter step will prevent group data from reaching Atlan.

Part 1: Create group mappings in OneLogin

OneLogin uses Mappings to populate a memberOf attribute on each user before the SAML assertion is sent.

  1. In OneLogin, go to Users → Mappings.

  2. Click New Mapping for each group you want to sync. In the mapping dialog:

    • Name: enter something descriptive, for example Set memberOf - Data Engineering.
    • Conditions: add a condition: Group is [group name].
    • Actions: add an action: Set memberOf to [group name].
    • Click Save.
  3. Create one additional clearing mapping to handle users who belong to no groups:

    • Name: for example, Clear memberOf.
    • Conditions: add a condition: Group is None.
    • Actions: add an action: Set memberOf to (leave blank).
    • Click Save.
  4. Click Reapply All Mappings and confirm to apply the mappings to existing users.

Part 2: Add memberOf parameter to SAML app

With the mappings in place, add memberOf as a SAML attribute in your Atlan app:

  1. In OneLogin, go to Applications → Applications and open your Atlan app.

  2. Open the Parameters tab and click the + icon.

  3. In the New Field dialog:

    • Field name: enter memberOf.
    • Check Include in SAML assertion.
    • Click Save.
  4. In the Edit Field memberOf dialog that opens, set Value to MemberOf, then click Save.

Part 3: Map group names in Atlan

With OneLogin configured, complete the mapping in Atlan:

  1. In Atlan, go to Settings → SSO and open your OneLogin provider.

  2. Switch to the Groups Mapping tab.

  3. For each Atlan group, under the SSO Groups column, type the name of the matching OneLogin group (for example, Data Engineering), then click Save on that row.

Group membership syncs every time a user signs in. If you rename a group in OneLogin, update the mapping in Atlan to match. For sync issues, see Troubleshooting SSO.

info

Once you've configured group mapping, you can add the mapped groups to a persona or purpose to auto-assign permissions as users sign in.

Need help?

If users can't sign in or aren't landing in the right groups, see Troubleshooting SSO. Contact Atlan Support if the issue persists.

Next steps

Now that users can sign in through OneLogin, finish setting up access: