The goal of Single Sign-on (SSO) is to allow Atlas Governance users to log in without using passwords, utilizing the identity platform of their Microsoft account through the OAuth 2.0 authorization protocol.

An Administrator in the Atlas Governance portal who is a Global Admin, Directory Owner, or has the role of "Application Admin" can execute the simplified procedure to configure all the necessary requirements by accessing the URL: https://www.atlasgov.com/settings/admin > Tab "Single Sign-on" > “Enable AD SSO”.

By clicking "ENABLE AD SSO": The application will initiate the process of requesting administrator consent and setting up the domains (according to requirements 2 and 3 mentioned above)

(Important: For this step, the Global Admin must be an Administrator within the Portal)

At the end of the procedure, the Atlas Governance application will prompt all users to re-login using Single Sign-On, and will display the configured directory and domain data in the Administrative panel.

To make it easier for users to access different directories, the multi-tenant application "Atlas Governance OAuth" was created, allowing users to connect to the Atlas Governance system using pre-authorized permissions in their source AD directory, with the administrator’s consent. (https://docs.microsoft.com/pt-br/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#understand-user-and-admin-consent).

This current deployment does not automatically provision users, SCIM, or any other type of user synchronization, focusing solely on the simple use of Azure Active Directory and Microsoft Account for SSO authentication. The goal is to eliminate the use of specific passwords in the Atlas Governance application, ensuring that users lose access to Atlas Governance immediately when they are locked out of Active Directory.

1) Enabling in Atlas Governance

In the administrative area of Atlas Governance, the AD SSO resource and tenant configuration must be enabled.

2) Consent

To enable the SSO function in Atlas Governance, the Azure AD administrator must consent to the permissions requested by the application.

See also: Authorizing access to the Atlas portal through Azure AD groups

The "Atlas Governance OAuth" application requires permissions:

3) Domain settings

The above permissions are delegated, that is, it gives the application the ability to act as a connected user within only these domains and can be revoked at any time. Upon consent, a main service will be created in the directory, enabling the connection process.

Atlas Governance requires that all domains used by the SSO in the directory be specified in the Administrative Area.

Domains are automatically obtained during the configuration process, using the Microsoft Graph "Organization Get" endpoint available with the User.Read permission, which allows you to obtain directory details (https://docs.microsoft.com/en-us/graph/api/organization-get?view=graph-rest-1.0&tabs=http).

If you need more information, we are available to answer all your questions. Always count on Atlas!

We hope you are enjoying our service and that you are finding the information you need in our help center. If you could rate our article, it would help us to understand how we can improve and provide an even better service.

At the end of the article, you will find the field “Was this article helpful?”, just click on the option you want: Yes or No

Thanks!