Configure Federated Authentication¶
MongoDB Federated Authentication links your credentials across many MongoDB systems. Atlas implements authentication using the Federated Identity Management model.
Using the FIM model:
- Your company manages your credentials using an Identity Provider (IdP). With its IdP, your company can enable you to authenticate with other services across the web.
- You configure MongoDB Atlas to authenticate using data passed from your IdP.
This goes beyond SSO as your IdP manages your credentials, not MongoDB. Your users can use Atlas without needing to remember another username and password.
To link your IdP to Atlas you provide each with the appropriate metadata. After you link your IdP to Atlas, map domains, organizations, and roles to your IdP:
- Domain Mapping
- Atlas routes users with email addresses that use mapped domains to the associated IdP.
- Organization Mapping
- Atlas grants users who log in through the IdP access to mapped |service| organizations.
- Role Mapping
- As part of the organization mapping, you can choose which role to grant your users. These roles map to groups in your IdP.
Federation Management Access¶
You can manage federated authentication from the Federation
Management Console. You can access the console as long as you are an
Organization Owner in one or more organizations that are
delegating federation settings to the instance.
To open the Federation Management console:
Navigate to the Settings page for your organization.¶
- If it is not already displayed, select your desired organization from the Organizations menu in the navigation bar.
- Click the Organization Settings icon next to the Organizations menu.
Navigate to the Federation Management App.¶
In the Setup Federated Login or Manage Federation Settings section, click Visit Federation Management App.
To configure federated authentication from the Federation Management console in Atlas, you must:
- Click Manage Identity Providers and Link an Identity Provider to Atlas to ensure that your users are authenticated through your trusted IdP.
- Click Manage Domains and Map Domains to your Identity Provider to simplify the login experience for users from specified domains. Atlas authenticates users through a mapped IdP if their email address matches a mapped domain.
After federating authentication, you can simplify user authorization. In the Federation Management console, click Manage Organizations. You can perform these activities:
End-to-end tutorials on implementing federated authentication:
Consideration for Two-Factor Authentication¶
When you configure federated authentication and users authenticate through your IdP, Atlas 2FA for those users is bypassed. If a user authenticates through your IdP and has 2FA for their Atlas account enabled, Atlas does not prompt the user for 2FA. Instead, you can configure your trusted IdP to prompt users for 2FA.