Docs Menu

Docs HomeLaunch & Manage MongoDBMongoDB Atlas

Manage Organization Mapping for Federated Authentication

On this page

  • Required Access
  • Prerequisites
  • Map an Organization to your Identity Provider
  • Change an Organization's Mapped Identity Provider
  • (Optional) Configure Advanced Options for Your Organization
  • Disconnect an Organization from the Federation Application

When you map organizations to your Identity Provider, Atlas grants users who authenticate through the IdP membership in the selected organizations. You can give these users a default role in the mapped organizations. Organization mapping lets you configure a single IdP to grant users access to multiple Atlas organizations.

You can apply the same IdP to multiple organizations. You can assign each organization a single IdP.

To manage federated authentication, you must have Organization Owner access to one or more organizations that are delegating federation settings to the instance.

To complete this tutorial, you must have already linked an IdP to Atlas and mapped one or more domains to that IdP. For instructions on these procedures, see:

Note

Atlas creates an Organization's IdP certificate is about to expire alert automatically when you map an organization to an IdP provider. If you remove the mapping, Atlas deletes all instances of this alert.

1
  1. Log in to Atlas.

  2. Use the dropdown at the top-left of Atlas to select the organization for which you want to manage federation settings.

  3. Click Settings in the left navigation pane.

  4. In Manage Federation Settings, click Visit Federation Management App.

2
  1. Click View Organizations.

    Atlas displays all organizations where you are an Organization Owner.

    Organizations which are not already connected to the Federation Application have Connect button in the Actions column.

  2. Click the desired organization's Connect button.

3

From the Organizations screen in the management console:

  1. Click the Name of the organization you want to map to an IdP.

  2. On the Identity Provider screen, click Apply Identity Provider.

    Atlas directs you to the Identity Providers screen which shows all IdPs you have linked to Atlas.

  3. For the IdP you want to apply to the organization, click Add Organizations.

  4. In the Apply Identity Provider to Organizations modal, select the organizations to which this IdP applies.

  5. Click Confirm.

4
  1. Click Organizations in the left navigation.

  2. In the list of Organizations, ensure that your desired organizations now have the expected Identity Provider.

Reconfigure your IdP to change the organizations to which it's mapped.

1
  1. Click Organizations in the left navigation.

  2. Click the Identity Provider of the organization whose IdP you wish to change.

  3. Click Modify for the IdP which is currently mapped to the organization.

  4. At the bottom of the Edit Identity Provider form, deselect the organization.

  5. Click Next.

  6. Click Finish.

2
  1. Click Modify for the IdP you want to map to the organization.

  2. At the bottom of the Edit Identity Provider form, select the organization.

  3. Click Next.

  4. Click Finish.

The following optional settings provide even greater control over user management and authentication in your organization.

You can assign users who authenticate through the IdP a default role in a mapped organization. Configuring this option ensures that users who authenticate through your IdP have the same set of permissions. This setting is not required for organization mapping.

For instructions on assigning a default role, see Assign a Default User Role for an Organization.

Note

The selected default role only applies to users who authenticate through the IdP if they do not have an Atlas role mapped to the IdP group already.

You can restrict access to your organization to an approved list of domains. This allows you to set the domains from which organization users can login without needing to directly map those domains to your IdP.

For instructions on restricting access by domain, see Restrict Access to an Organization by Domain.

When you disconnect an organization from the Federation Application, Atlas no longer grants membership or a default organization role to users who authenticate through the IdP.

From the Federation Management Console:

1
2
3
4
←  Manage Domain Mapping for Federated AuthenticationManage Mapping Atlas Roles to IdP Groups →