Navigation

Manage Identity Providers

Federated Authentication links your credentials across many systems. You can authenticate to Atlas and other MongoDB cloud services using your company’s credentials through an Identity Provider (IdP). This authentication flow ensures a unified login experience for your users and reduces the number of credentials they have to remember.

The following procedure walks you through linking an IdP to Atlas.

Federation Management Access

You can manage federated authentication from the Federation Management Console. You can access the console as long as you are an Organization Owner in one or more organizations that are delegating federation settings to the instance.

Procedure

Two-Stage Configuration

Depending on your Identity Provider, some circular logic may apply when linking it to a Service Provider like Atlas. To link your IdP to Atlas:

  • Your IdP needs values from Atlas and
  • Atlas needs values from your IdP.

To simplify setup, Atlas prompts you to enter placeholder values for the IdP and Atlas configurations. You will replace these values later in the procedure.

Configure An External Identity Provider Application

To configure Federated Authentication, you must have an external SAML IdP application. In the SAML IdP, you must:

  1. Create a new application for Atlas.

  2. Configure initial SAML values for the new application:

    1. Set placeholder values for the following fields:

      • SP Entity ID or Issuer
      • Audience URI
      • Assertion Consumer Service (ACS) URL
    2. Set valid values for the following fields:

      Field Value
      Signature Algorithm

      The signature algorithm is the algorithm used to encrypt the IdP signature. Atlas supports the following signature algorithm values:

      • SHA-1
      • SHA-256
      Name ID Email Address
      Name ID Format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
    3. Create attributes with Attribute Names for the following Attribute Values:

      • firstName
      • lastName
      • email

      Note

      The names of these attributes are case sensitive. Type these attribute names as shown in camelCase.

    4. Save these values.

Once you have completed the initial setup for your IdP application, you link the IdP to Atlas to federate your users’ logins.

Apply Your Identity Provider to Atlas

Prerequisite

This procedure assumes you already have an external IdP. To learn how to configure an IdP, see Configure An External Identity Provider Application.

You can configure Federated Authentication in Atlas from the Federation Management Console. Use this console to:

  • Configure Identity Providers to authenticate users belonging to specified organizations.
  • Connect Atlas Organizations to your IdP.
  • Verify and associate Domains with your IdP to force users to authenticate using that IdP.

Open the Management Console

  1. Log in to Atlas.
  2. From the Context dropdown in the left navigation, select the organization for which you want to manage federation settings.
  3. Click Settings in the left navigation.
  4. In Manage Federation Settings, click Visit Federation Management App.

From the Management Console:

  1. Click Add Identity Providers

  2. If you do not have any Identity Providers configured yet, click Setup Identity Provider. Otherwise, On the Identity Providers screen, click Add Identity Provider.

  3. Enter or select the following SAML Protocol Settings. All fields are required:

    Field Description
    Configuration Name Name of identify this IdP configuration.
    Login URL URL which serves as the Atlas login page. Give this URL to your users to have them bypass the main Atlas login page where they enter their username. This URL redirects users to the IdP Single Sign-On URL.
    IdP Issuer URI

    Identifier for the issuer of the SAML Assertion.

    Note

    Specify a placeholder value for this field. Obtain the real value for this field from your IdP once you have supplied it with the Atlas metadata.

    IdP Single Sign-On URL

    URL of the receiver of the SAML AuthNRequest.

    Note

    Specify a placeholder value for this field. Obtain the real value for this field from your IdP once you have supplied it with the Atlas metadata.

    IdP Signature Certificate PEM-encoded public key certificate of the IdP. You can obtain this value from your IdP.
    Request Binding

    SAML Authentication Request Protocol binding used to send the AuthNRequest. Can be either:

    • HTTP POST
    • HTTP REDIRECT
    Response Signature Algorithm

    Response algorithm used to sign the SAML AuthNRequest. Can be either:

    • SHA-256
    • SHA-1
    Apply to Organizations Organizations to connect to this IdP. When users authenticate through the IdP for the first time, Atlas grants them membership in the selected organizations. Manage organization mapping to choose what role these users have within the selected organizations.
  4. Click Next.

Configure Your Identity Provider with Atlas Metadata

Having set up your IdP in Atlas, you can provide the required Atlas metadata to your IdP.

  1. On the Identity Provider screen in Atlas, click Download metadata to download the metadata required by your IdP. Atlas provides the data as an .xml file.

    Image showing how to download metadata

    Note

    Atlas provides the Assertion Consumer Service URL and Audience URI if you wish to manually copy and save these values. These values are included in the metadata download.

  2. Upload the metadata to your IdP.

    You now have the necessary information to replace the placeholder IdP Issuer URI and IdP Single Sign-On URL values set when you set up the initial IdP mapping in Atlas.

  3. In Atlas, modify the placeholder values set for IdP Issuer URI and IdP Single Sign-On URL for the linked IdP with the proper values from your IdP.

  4. Return to Atlas and click Finish.

Important

Once you link your IdP to Atlas, it shows as Inactive in the Federation Management Console until you map at least one domain to the IdP.

Next Steps

After you successfully linked your IdP to Atlas, you must map one or more domains to your Identity Provider. Atlas authenticates users from these domains through your IdP.