Navigation

Configure Federated Authentication from Azure AD

This guide shows you how to configure federated authentication using Azure AD as your IdP .

After integrating Azure AD and Atlas, you can use your company's credentials to log in to Atlas and other MongoDB cloud services.

Atlas doesn't support single sign-on integration for database users. To configure Atlas to authenticate and authorize database users from Azure AD using LDAP , see Configure User Authentication and Authorization with Azure AD Domain Services.

To use Azure AD as an IdP for Atlas, you must have:

  • An Azure subscription. To obtain a subscription, visit the Microsoft Azure portal.
  • An Azure AD tenant associated with your subscription. For information about setting up an Azure AD tenant, see the Azure AD Documentation.
  • A Premium P2 license for Azure AD .
  • Global Administrator privileges in your Azure AD tenant.
  • A custom, routable domain name.

If you haven't already, use the Azure console to add your custom domain name to Azure AD and create users:

1

Add your custom domain name to Azure AD to create users that belong to your domain. After you add your domain, you must also add the Azure AD DNS information in a TXT record with your DNS provider and verify the configuration.

To add your custom domain to Azure AD , see the Azure documentation.

2

If they don't exist already, create users in Azure AD that you want to grant database access to. Users must belong to the custom domain you added to Azure AD .

To create Azure AD users, see the Azure documentation.

Use the Azure console to configure Azure AD as a SAML IdP . You can either add the MongoDB Cloud app from the Gallery or configure an application manually.

1

To add the MongoDB Cloud app to your Azure AD tenant, see the Azure documentation.

Bulb IconTip
See Also:
2

Assign users to the application. These users will have access to Atlas and other MongoDB cloud services when you complete the tutorial.

To assign Azure AD users to an application, see the Azure documentation.

3

To navigate to the SAML configuration page, see the Azure documentation.

Important With Circle IconCreated with Sketch.Important

Don't edit the fields in the Basic SAML Configuration section. You get this information from Atlas later in the tutorial.

4

In the SAML Signing Certificate section, click Download next to Certificate (Base64).

You upload this signing certificate to the MongoDB Federation Management Console later in the tutorial.

5

Paste these values into a text editor or another easily accessible location.

You enter these values in the MongoDB Federation Management Console later in the tutorial.

Use the Federation Management Console and the Azure console to add Azure AD as an IdP :

1
  1. Log in to Atlas.
  2. Use the dropdown at the top-left of Atlas to select the organization for which you want to manage federation settings.
  3. Click Settings in the left navigation pane.
  4. In Manage Federation Settings, click Visit Federation Management App.
2
  1. Click Add Identity Providers
  2. If you do not have any Identity Providers configured yet, click Setup Identity Provider. Otherwise, On the Identity Providers screen, click Add Identity Provider.
  3. Enter or select the following SAML Protocol Settings. All fields are required:

    FieldDescription
    Configuration NameEnter a descriptive name, such as Azure AD.
    IdP Issuer URIPaste the Azure AD Identifier you copied from Azure earlier in the tutorial.
    IdP Single Sign-On URLPaste the Login URL you copied from Azure earlier in the tutorial.
    IdP Signature CertificateUpload the Base64-encoded SAML signing certificate you downloaded from Azure earlier in the tutorial.
    Request BindingSelect HTTP POST.
    Response Signature AlgorithmSelect SHA-256.
    Apply to OrganizationsSelect organizations to connect to this IdP . When users authenticate through Azure AD for the first time, Atlas grants them membership in the selected organizations. Manage organization mapping to choose what role these users have within the selected organizations.
  4. Click Next.
3
  1. Click Download metadata. You upload this file to Azure AD in the next step.
  2. Click Finish.
4

To upload the file, see the Azure documentation.

5

To confirm your configuration, see the Azure documentation.

Mapping your domain to the IdP lets Atlas know that users from your domain should be directed to the Login URL for your identity provider configuration.

When users visit the Atlas login page, they enter their email address. If the email domain is associated with an IdP, they are sent to the Login URL for that IdP.

Important With Circle IconCreated with Sketch.Important

You can map a single domain to multiple identity providers. If you do, users who log in using the MongoDB Cloud console are automatically redirected to the first matching IdP mapped to the domain.

To log in using an alternative identity provider, users must either:

  • Initiate the MongoDB Cloud login through the desired IdP , or
  • Log in using the Login URL associated with the desired IdP .

Use the Federation Management Console to map your domain to the IdP :

1
  1. Log in to Atlas.
  2. Use the dropdown at the top-left of Atlas to select the organization for which you want to manage federation settings.
  3. Click Settings in the left navigation pane.
  4. In Manage Federation Settings, click Visit Federation Management App.
2
  1. Click Add a Domain.
  2. On the Domains screen, click Add Domain.
  3. Enter the following information for your domain mapping:

    FieldDescription
    Display NameName to easily identify the domain.
    Domain NameDomain name to map.
  4. Click Next.
3
Info With Circle IconCreated with Sketch.Note

You can choose the verification method once. It cannot be modified. To select a different verification method, delete and recreate the domain mapping.

Select the appropriate tab based on whether you are verifying your domain by uploading an HTML file or creating a DNS TXT record:

Upload an HTML file containing a verification key to verify that you own your domain.

  1. Click HTML File Upload.
  2. Click Next.
  3. Download the mongodb-site-verification.html file that Atlas provides.
  4. Upload the HTML file to a web site on your domain. You must be able to access the file at <https://host.domain>/mongodb-site-verification.html.
  5. Click Finish.
4

The Domains screen displays both unverified and verified domains you've mapped to your IdP . To verify your domain, click the target domain's Verify button. Atlas shows whether the verification succeeded in a banner at the top of the screen.

After successfully verifying your domain, use the Federation Management Console to associate the domain with Azure AD :

1
2
3
4
Important With Circle IconCreated with Sketch.Important

Before you begin testing, copy and save the Bypass SAML Mode URL for your IdP . Use this URL to bypass federated authentication in the event that you are locked out of your Atlas organization.

While testing, keep your session logged in to the Federation Management Console to further ensure against lockouts.

To learn more about Bypass SAML Mode, see Bypass SAML Mode.

Use the Federation Management Console to test the integration between your domain and Azure AD :

1
2
Beaker IconExample

If your verified domain is mongodb.com, enter alice@mongodb.com.

3

If you mapped your domain correctly, you're redirected to your IdP to authenticate. If authenticating with your IdP succeeds, you're redirected back to Atlas.

Info With Circle IconCreated with Sketch.Note

You can bypass the Atlas log in page by navigating directly to your IdP 's Login URL. The Login URL takes you directly to your IdP to authenticate.

Use the Federation Management Console to assign your domain's users access to specific Atlas organizations:

1
  1. Log in to Atlas.
  2. Use the dropdown at the top-left of Atlas to select the organization for which you want to manage federation settings.
  3. Click Settings in the left navigation pane.
  4. In Manage Federation Settings, click Visit Federation Management App.
2
  1. Click View Organizations.

    Atlas displays all organizations where you are an Organization Owner.

    Organizations which are not already connected to the Federation Application have Connect button in the Actions column.

  2. Click the desired organization's Connect button.
3

From the Organizations screen in the management console:

  1. Click the Name of the organization you want to map to an IdP .
  2. On the Identity Provider screen, click Apply Identity Provider.

    Atlas directs you to the Identity Providers screen which shows all IdPs you have linked to Atlas.

  3. For the IdP you want to apply to the organization, click Modify.
  4. At the bottom of the Edit Identity Provider form, select the organizations to which this IdP applies.
  5. Click Next.
  6. Click Finish.
4
  1. Click Organizations in the left navigation.
  2. In the list of Organizations, ensure that your desired organization(s) now have the expected Identity Provider.

You can configure the following advanced options for federated authentication for greater control over your federated users and authentication flow:

Info With Circle IconCreated with Sketch.Note

The following advanced options for federated authentication require you to map an organization.

All users you assigned to the Azure application can log in to Atlas using their Azure AD credentials on the Login URL. Users have access to the organizations you mapped to your IdP .

Important With Circle IconCreated with Sketch.Important

You can map a single domain to multiple identity providers. If you do, users who log in using the MongoDB Cloud console are automatically redirected to the first matching IdP mapped to the domain.

To log in using an alternative identity provider, users must either:

  • Initiate the MongoDB Cloud login through the desired IdP , or
  • Log in using the Login URL associated with the desired IdP .

If you selected a default organization role, new users who log in to Atlas using the Login URL have the role you specified.

Give Feedback