Enable SAML 2.0 for SSO
Use this guide if your identity provider supports SAML 2.0 and is not listed as a named integration in Atlan's SSO settings. Setup exchanges metadata in both directions: you copy Atlan's service provider details into a new SAML app in your IdP, then import your IdP's metadata back into Atlan.
If you are using PingFederate as your identity provider, see the dedicated PingFederate (SAML) guide, which covers PingFederate-specific assertion URL requirements.
Prerequisites
Before you begin, make sure you have:
- Admin access in Atlan. Only admins can configure SSO.
- Administrator access in your identity provider so you can create a SAML application and assign users.
- A decision on the default role new users receive on first sign-in (Admin, Member, or Guest). Set it in Set default role for SSO users. Most workspaces use Member.
Get Atlan's service provider details
Before configuring the app in your identity provider, get the values Atlan provides.
-
In your Atlan workspace, click Settings from the left menu.
If you are using the Old UI (Classic), from the left menu, click Admin.
-
Click SSO.
-
Click New, then select SAML 2.0.
-
Enter an Alias for the connection. This is a unique name used in the SSO URL (for example,
my-company-saml), then click Next. -
Under Service provider metadata, copy both values: you will paste them into your IdP in the next step:
- Atlan SAML Assertion URL (the ACS URL)
- Atlan Audience URI (SP Entity ID)
Keep this tab open. You will return here to finish setup.
Configure in your identity provider
The exact steps vary by identity provider, but the configuration is the same for any SAML 2.0-compliant IdP.
In your identity provider's admin console:
-
Create a new SAML 2.0 application and name it
Atlan. -
Set the Entity ID or Issuer to the Atlan Audience URI (SP Entity ID) value you copied from Atlan.
-
Set the ACS URL or Assertion Consumer Service URL to the Atlan SAML Assertion URL value you copied from Atlan.
-
Assign the users and groups that should have access to Atlan.
-
Configure the application to return the following attributes in the SAML assertion:
firstNamelastNameemailmemberOf(optional, but required if you plan to sync IdP groups to Atlan groups)
infoFor users provisioned through SSO, the Atlan username comes from these attribute mappings. If no username attribute is mapped, Atlan uses the email prefix by default, which users can change when they first register.
-
Export the IdP's SAML metadata as an XML file, or note the SSO URL and x.509 certificate for manual entry.
warningThe SSO URL must be accessible from Atlan via the internet.
Connect your IdP to Atlan
With the app configured in your identity provider, go back to Atlan to finish. Open your Atlan SSO settings (the SAML 2.0 provider you started earlier) and:
-
Under Identity provider metadata, provide the metadata from your IdP one of two ways:
- Import from XML (recommended): click Import from XML and select the metadata file you exported from your IdP.
- Enter manually: paste the SAML SSO URL and the x.509 certificate from your IdP into their respective fields.
-
(Optional) Under Attribute Mapper, update the attribute name mappings if your IdP uses different names for the standard attributes. For example, if your IdP sends email as
mailinstead ofemail, update the mapping here. -
(Optional) Under Customize, enter a Sign in button text to display a custom label for this provider on the Atlan login page.
-
Click Save.
Your users can now sign in to Atlan using your identity provider. By default, they can still sign in with a local Atlan account too. To require IdP sign-in, enable Enforce SSO (see below).
Enforce SSO (optional)
Once SSO is working, you can disable local email-and-password sign-in so everyone authenticates through your IdP:
-
In Atlan, go to Settings → SSO and open your SAML 2.0 provider.
-
Enable Enforce SSO.
After enforcing SSO, have your IdP administrator manage access from your identity provider rather than inviting users directly in Atlan. Assigned users are provisioned automatically on their first sign-in.
Sync IdP groups to Atlan groups (optional)
Map your IdP's groups to Atlan groups so users are placed in the right teams automatically on every sign-in.
- Configure the
memberOfattribute in your IdP's SAML application. Group sync will not work without it. - Create the Atlan groups you want to map to first: you can only map to groups that already exist in Atlan.
-
In Atlan, go to Settings → SSO and open your SAML 2.0 provider.
-
Switch to the Groups Mapping tab.
-
For each Atlan group, under the SSO Groups column, type the name of the matching group from your IdP (for example,
Data Engineering), then click Save on that row.
Group membership syncs every time a user signs in. If you rename a group in your IdP, update the mapping in Atlan to match. For sync issues, see Troubleshooting SSO.
Need help?
If users can't sign in or aren't landing in the right groups, see Troubleshooting SSO. Contact Atlan Support if the issue persists.
Next steps
Now that users can sign in through your IdP, finish setting up access:
- Set default role for SSO users: Choose whether new users land as Member, Guest, or Admin.
- Restrict auto user creation: Limit sign-in to only the users your identity provider assigns.
- Configure SCIM provisioning: Automate the full user lifecycle (optional).