- Security >
- Configure Federated Authentication >
- Configure Federated Authentication from Azure AD
Configure Federated Authentication from Azure AD¶
This guide shows you how to configure federated authentication using Azure AD as your IdP.
After integrating Azure AD and Cloud Manager, you can use your company’s credentials to log in to Cloud Manager and other MongoDB cloud services.
Limitations¶
Cloud Manager doesn’t support single sign-on integration for database users.
Prerequisites¶
To use Azure AD as an IdP for Cloud Manager, you must have:
- An Azure subscription. To obtain a subscription, visit the Microsoft Azure portal.
- An Azure AD tenant associated with your subscription. For information about setting up an Azure AD tenant, see the Azure AD Documentation.
Global Administrator
privileges in your Azure AD tenant.- A custom, routable domain name.
Procedures¶
Add Domain users¶
If you haven’t already, use the Azure console to add your custom domain name to Azure AD and create users:
Add your custom domain to Azure AD.¶
Add your custom domain name to
Azure AD to create users that belong
to your domain. After you add your domain, you must also add the
Azure AD DNS information in a TXT
record with your DNS provider and verify the configuration.
To add your custom domain to Azure AD, see the Azure documentation.
Create Azure AD Users.¶
If they don’t exist already, create users in Azure AD that you want to grant database access to. Users must belong to the custom domain you added to Azure AD.
To create Azure AD users, see the Azure documentation.
Configure Azure AD as an Identity Provider¶
Use the Azure console to configure Azure AD as a SAML IdP. You can either add the MongoDB Cloud app from the Gallery or configure an application manually.
- Use the MongoDB Cloud Gallery App
- Configure an App Manually
Add the MongoDB Cloud app from the gallery.¶
To add the MongoDB Cloud app to your Azure AD tenant, see the Azure documentation.
Assign users to the application.¶
Assign users to the application. These users will have access to Cloud Manager and other MongoDB cloud services when you complete the tutorial.
To assign Azure AD users to an application, see the Azure documentation.
Set temporary values for the Identifier and Reply URL.¶
To generate a valid SAML signing certificate, you must assign temporary values to the Identifier and Reply URL for your Azure AD enterprise application. If you download the certificate before setting these values, the downloaded certificate won’t be unique and you must download the certificate again after setting these values.
To set the temporary values:
Click Edit in Section 1.
Remove any existing default values and set the following temporary values:
Setting Temporary Value Identifier (Entity ID) https://www.okta.com/saml2/service-provider/MongoDBCloud
Reply URL (Assertion Consumer Service URL). https://auth.mongodb.com/sso/saml2/
Click Save.
Refresh the browser page to ensure that the certificate is regenerated.
The certificate’s thumbprint and expiration date change from the values they held after the temporary Identifier and Reply URL are updated for the first time.
Download the SAML signing certificate encoded in Base64
.¶
In the SAML Signing Certificate section, click Download next to Certificate (Base64).
You upload this signing certificate to the MongoDB Federation Management Console later in the tutorial.
Optional: Add group claims to the SAML token.¶
Skip this step if you won’t use role mapping.
To use role mapping, add the following group claim to the SAML token that Azure AD sends to Cloud Manager:
- Click Add a group claim. Azure displays the Group Claims panel.
- In Which groups associated with the user should be returned in the claim?, click Security groups. The groups that you can select depend on the type of groups you configured in your Azure environment. You might need to select a different type of group to send the appropriate group information.
- From the Source attribute dropdown, select Group Id. If you select Group Id, Azure sends the security group’s Object ID and not the human-readable group name. Depending on your Azure environment, you may have the option to select a different source attribute which sends the group name instead. When creating role mappings in Cloud Manager, match the Azure group data sent in the SAML response to the configured MongoDB Atlas role mapping name.
- Click Customize the name of the group claim in the Advanced options section.
- Set Name to memberOf.
- Leave Namespace blank.
- Clear Emit groups as role claims.
- Click Save.
Copy the values of the Login URL and Azure AD Identifier fields.¶
Paste these values into a text editor or another easily accessible location.
You enter these values in the MongoDB Federation Management Console later in the tutorial.
Add a non-gallery application to Azure AD.¶
Give the application a descriptive name, like MongoDB-Cloud-Manager
.
To add a non-gallery application to Azure AD, see the Azure documentation.
Assign users to the application.¶
Assign users to the application. These users will have access to Cloud Manager and other MongoDB cloud services when you complete the tutorial.
To assign Azure AD users to an application, see the Azure documentation.
Navigate to the SAML configuration page to begin configuring single sign-on.¶
To navigate to the SAML configuration page, see the Azure documentation.
Set temporary values for the Identifier and Reply URL.¶
To generate a valid SAML signing certificate, you must assign temporary values to the Identifier and Reply URL for your Azure AD enterprise application. If you download the certificate before setting these values, the downloaded certificate won’t be unique and you must download the certificate again after setting these values.
To set the temporary values:
Click Edit in Section 1.
Remove any existing default values and set the following temporary values:
Setting Temporary Value Identifier (Entity ID) https://www.okta.com/saml2/service-provider/MongoDBCloud
Reply URL (Assertion Consumer Service URL). https://auth.mongodb.com/sso/saml2/
Click Save.
Refresh the browser page to ensure that the certificate is regenerated.
The certificate’s thumbprint and expiration date change from the values they held after the temporary Identifier and Reply URL are updated for the first time.
Optional: Delete the Additional Claims.¶
To simplify the SAML configuration, you can delete the default Additional claims:
- In the User Attributes & Claims section, click the Edit icon.
- For each claim in the Additional claims section, expand the Context menu, then click Delete.
Edit the Unique User Identifier required claim.¶
Use the following values:
Choose name identifier format:
Unspecified
Source:
Attribute
Source attribute:
user.userprincipalname
Note
Depending on your Active Directory configuration, the source attribute you use may be different. Use the source attribute that contains a user’s full email address.
To edit the Unique User Identifier required claim, see the Azure documentation.
Add user claims to the SAML token.¶
Add the following user claims to the SAML token Azure AD sends to Cloud Manager:
Important
The values in the Name column are case-sensitive. Enter them exactly as shown.
You must leave the Namespace
field empty for all user claims.
Name | Source | Source Attribute |
---|---|---|
firstName |
Attribute | user.givenname |
lastName |
Attribute | user.surname |
email |
Attribute | user.userprincipalname |
Note
Depending on your Active Directory configuration, the source attributes you use may be different. Use the source attributes that contain a user’s first name, last name, and full email address for the appropriate claims.
To add user claims, see the Azure documentation.
Optional: Add group claims to the SAML token.¶
Skip this step if you won’t use role mapping.
To use role mapping, add the following group claim to the SAML token that Azure AD sends to Cloud Manager:
- Click Add a group claim. Azure displays the Group Claims panel.
- In Which groups associated with the user should be returned in the claim?, click Security groups. The groups that you can select depend on the type of groups you configured in your Azure environment. You might need to select a different type of group to send the appropriate group information.
- From the Source attribute dropdown, select Group Id. If you select Group Id, Azure sends the security group’s Object ID and not the human-readable group name. Depending on your Azure environment, you may have the option to select a different source attribute which sends the group name instead. When creating role mappings in Cloud Manager, match the Azure group data sent in the SAML response to the configured MongoDB Atlas role mapping name.
- Click Customize the name of the group claim in the Advanced options section.
- Set Name to memberOf.
- Leave Namespace blank.
- Clear Emit groups as role claims.
- Click Save.
Verify that the SAML signing certificate uses SHA-256
.¶
To verify that the SAML signing certificate uses the SHA-256
signing algorithm, see the Azure documentation.
Download the SAML signing certificate encoded in Base64
.¶
In the SAML Signing Certificate section, click Download next to Certificate (Base64).
You upload this signing certificate to the MongoDB Federation Management Console later in the tutorial.
Copy the values of the Login URL and Azure AD Identifier fields.¶
Paste these values into a text editor or another easily accessible location.
You enter these values in the MongoDB Federation Management Console later in the tutorial.
Add Azure AD as an Identity Provider in Cloud Manager¶
Use the Federation Management Console and the Azure console to add Azure AD as an IdP:
Open the Federation Management Console.¶
- Log in to Cloud Manager.
- Use the dropdown at the top-left of Cloud Manager to select the organization for which you want to manage federation settings.
- Click Settings in the left navigation pane.
- In Manage Federation Settings, click Visit Federation Management App.
Add Azure AD to Cloud Manager as an Identity Provider.¶
Click Add Identity Providers
If you do not have any Identity Providers configured yet, click Setup Identity Provider. Otherwise, On the Identity Providers screen, click Add Identity Provider.
Enter or select the following SAML Protocol Settings. All fields are required:
Field Description Configuration Name Enter a descriptive name, such as Azure AD
.IdP Issuer URI Paste the Azure AD Identifier you copied from Azure earlier in the tutorial. IdP Single Sign-On URL Paste the Login URL you copied from Azure earlier in the tutorial. IdP Signature Certificate Upload the
Base64
-encoded SAML signing certificate you downloaded from Azure earlier in the tutorial.You can either:
- Upload the certificate from your computer, or
- Paste the contents of the certificate into a text box.
Request Binding Select HTTP POST. Response Signature Algorithm Select SHA-256. Click Next.
Download the metadata file with details that recognize MongoDB as a Service Provider.¶
- Click Download metadata. You upload this file to Azure AD in the next step.
- Click Finish.
Upload the metadata file to Azure to finish configuring Azure AD as an IdP.¶
To upload the file, see the screenshot in step 3 of Enable single sign-on for an app in the Azure documentation. Click Upload metadata file on the SSO configuration page, as shown in the screenshot in the linked Azure documentation.
Optionally, add a RelayState URL to your IdP to send users to a URL you choose and avoid unnecessary redirects after login. You can use:
Destination | RelayState URL |
---|---|
MongoDB MongoDB Atlas | The Login URL that was generated for your identity provider configuration in the MongoDB Atlas Federation Management App. |
MongoDB Support Portal | |
MongoDB University | |
MongoDB Community Forums | |
MongoDB Feedback Engine | |
MongoDB JIRA |
Map your Domain¶
Mapping your domain to the IdP lets Cloud Manager know that users from your domain should be directed to the Login URL for your identity provider configuration.
When users visit the Cloud Manager login page, they enter their email address. If the email domain is associated with an IdP, they are sent to the Login URL for that IdP.
Important
You can map a single domain to multiple identity providers. If you do, users who log in using the MongoDB Cloud console are automatically redirected to the first matching IdP mapped to the domain.
To log in using an alternative identity provider, users must either:
- Initiate the MongoDB Cloud login through the desired IdP, or
- Log in using the Login URL associated with the desired IdP.
Use the Federation Management Console to map your domain to the IdP:
Open the Federation Management Console.¶
- Log in to Cloud Manager.
- Use the dropdown at the top-left of Cloud Manager to select the organization for which you want to manage federation settings.
- Click Settings in the left navigation pane.
- In Manage Federation Settings, click Visit Federation Management App.
Enter domain mapping information.¶
Click Add a Domain.
On the Domains screen, click Add Domain.
Enter the following information for your domain mapping:
Field Description Display Name Name to easily identify the domain. Domain Name Domain name to map. Click Next.
Choose how to verify your domain.¶
Note
You can choose the verification method once. It cannot be modified. To select a different verification method, delete and recreate the domain mapping.
Select the appropriate tab based on whether you are verifying your domain by uploading an HTML file or creating a DNS TXT record:
- Upload HTML File
- Create DNS Record
Upload an HTML file containing a verification key to verify that you own your domain.
- Click HTML File Upload.
- Click Next.
- Download the
mongodb-site-verification.html
file that Cloud Manager provides. - Upload the HTML file to a web site on your domain. You
must be able to access the file at
<https://host.domain>/mongodb-site-verification.html
. - Click Finish.
Create a DNS TXT record with your domain provider to verify that you own your domain. Each DNS record associates a specific Cloud Manager organization with a specific domain.
Click DNS Record.
Click Next.
Copy the provided TXT record. The TXT record has the following form:
Log in to your domain name provider (such as GoDaddy.com or networksolutions.com).
Add the TXT record that Cloud Manager provides to your domain.
Return to Cloud Manager and click Finish.
Verify your domain.¶
The Domains screen displays both unverified and verified domains you’ve mapped to your IdP. To verify your domain, click the target domain’s Verify button. Cloud Manager shows whether the verification succeeded in a banner at the top of the screen.
Associate Your Domain with Your Identity Provider¶
After successfully verifying your domain, use the Federation Management Console to associate the domain with Azure AD:
For the IdP you want to associate with your domain, click pencil icon next to Associated Domains.¶
Select the domain you want to associate with the IdP.¶
Click Confirm.¶
Test Your Domain Mapping¶
Important
Before you begin testing, copy and save the Bypass SAML Mode URL for your IdP. Use this URL to bypass federated authentication in the event that you are locked out of your Cloud Manager organization.
While testing, keep your session logged in to the Federation Management Console to further ensure against lockouts.
To learn more about Bypass SAML Mode, see Bypass SAML Mode.
Use the Federation Management Console to test the integration between your domain and Azure AD:
Enter a username (usually an email address) with your verified domain.¶
Example
If your verified domain is mongodb.com
, enter
alice@mongodb.com
.
Click Next.¶
If you mapped your domain correctly, you’re redirected to your IdP to authenticate. If authenticating with your IdP succeeds, you’re redirected back to Cloud Manager.
Note
You can bypass the Cloud Manager log in page by navigating directly to your IdP’s Login URL. The Login URL takes you directly to your IdP to authenticate.
(Optional) Map an Organization¶
Use the Federation Management Console to assign your domain’s users access to specific Cloud Manager organizations:
Open the Federation Management Console.¶
- Log in to Cloud Manager.
- Use the dropdown at the top-left of Cloud Manager to select the organization for which you want to manage federation settings.
- Click Settings in the left navigation pane.
- In Manage Federation Settings, click Visit Federation Management App.
Connect an organization to the Federation Application.¶
Click View Organizations.
Cloud Manager displays all organizations where you are an
Organization Owner
.Organizations which are not already connected to the Federation Application have Connect button in the Actions column.
Click the desired organization’s Connect button.
Apply an Identity Provider to the organization.¶
From the Organizations screen in the management console:
Click the Name of the organization you want to map to an IdP.
On the Identity Provider screen, click Apply Identity Provider.
Cloud Manager directs you to the Identity Providers screen which shows all IdPs you have linked to Cloud Manager.
For the IdP you want to apply to the organization, click Modify.
At the bottom of the Edit Identity Provider form, select the organizations to which this IdP applies.
Click Next.
Click Finish.
Connect an organization to the Federation Application.¶
- Click Organizations in the left navigation.
- In the list of Organizations, ensure that your desired organization(s) now have the expected Identity Provider.
(Optional) Configure Advanced Federated Authentication Options¶
You can configure the following advanced options for federated authentication for greater control over your federated users and authentication flow:
Note
The following advanced options for federated authentication require you to map an organization.
Sign in to Cloud Manager Using Your Login URL¶
All users you assigned to the Azure application can log in to Cloud Manager using their Azure AD credentials on the Login URL. Users have access to the organizations you mapped to your IdP.
Important
You can map a single domain to multiple identity providers. If you do, users who log in using the MongoDB Cloud console are automatically redirected to the first matching IdP mapped to the domain.
To log in using an alternative identity provider, users must either:
- Initiate the MongoDB Cloud login through the desired IdP, or
- Log in using the Login URL associated with the desired IdP.
If you selected a default organization role, new users who log in to Cloud Manager using the Login URL have the role you specified.