Skip to main content

Restrict auto user creation for SSO

Connect docs via MCP

By default, any user who can authenticate against your identity provider and reach Atlan's login page is automatically given an Atlan account on their first sign-in. For most production workspaces, that's too open: you typically want only the users IT has explicitly approved to get accounts.

Restricting auto-provisioning moves that control into your IdP. Once restricted, only users assigned to the Atlan application in the IdP can sign in. Anyone else is rejected at the IdP before Atlan even sees the request: no account is created.

Prerequisites

  • You are an admin in Atlan and an administrator of your identity provider.
  • SSO is already configured. If not, see Set up authentication first.
  • You have a list of users or groups who should have Atlan access. After restricting, only those users can sign in.

Restrict access in your identity provider

The control lives entirely in your IdP, not in Atlan. Select your provider below.

In Okta, only users explicitly assigned to an app can sign in to it. To restrict Atlan access:

  1. Log in to the Okta admin console.

  2. Go to Applications → Applications and open your Atlan SAML app.

  3. Open the Assignments tab.

  4. Click Assign, then choose Assign to People to add individual users or Assign to Groups to add groups.

  5. Select each user or group, confirm, and click Save and Go Back. Click Done when finished.

Only assigned users can now sign in to Atlan via Okta. To give a new user access later, add them to the assignment here: they are provisioned automatically on their first sign-in.

To remove access, open the Assignments tab, find the user or group, and click Remove.

Need help?

If a user can sign in when they shouldn't, verify the assignment in your IdP: the restriction lives there, not in Atlan. If a user can't sign in but should be able to, confirm they are in the assigned list and that SSO is reaching your IdP. See Troubleshooting SSO for common issues.

Next steps