- Security >
- Configure Federated Authentication >
- Manage Mapping Cloud Manager Roles to IdP Groups
Manage Mapping Cloud Manager Roles to IdP Groups¶
On this page
You can map your IdP groups to Cloud Manager roles. This streamlines authorization setup. You can grant one IdP group one or more roles to simplify their access to Cloud Manager organizations, projects, and clusters.
Note
You can’t edit roles for specific users on the Access Manager page if you configure role mappings for IdP groups.
Role Mapping Process¶
Cloud Manager applies the role mappings when you log in.
Cloud Manager compares the IdP groups named memberOf to role mappings defined for your organizations. These organizations must use the same IdP that the user did to authenticate.
Cloud Manager applies the mapped roles to federated users if you defined role mappings.
Cloud Manager applies the default role if:
- You haven’t defined role mappings, or
- Role mappings would result in a user without any roles.
Organization role mappings define federated users’ Cloud Manager access. If a federated user logs in but doesn’t belong to an IdP group mapped to a desired organization, Cloud Manager removes the mapped role from the user in that organization and its projects. The federated user may still belong to other IdP groups.
Example
Consider a scenario where a user belongs to the admin IdP group. You have configured a role mapping of admin to the
Organization Ownerin Organization A. If you remove that user from the admin IdP group, Cloud Manager deletes that users’Organization Ownerrole when the user next logs in.Every project must have at least one user that has the
Project Ownerrole. Cloud Manager won’t remove a role if removing the role removes the last owner from a project.Every organization must have at least one user that has the
Organization Ownerrole. Cloud Manager won’t remove a role if removing the role removes the last owner from an organization.
Prerequisites¶
To complete this tutorial, you must have:
- Created an IdP application. This application must have a SAML attribute named to memberOf. Map this attribute to the IdP source attributes for groups. This attribute links the IdP groups with your MongoDB Atlas roles.
- Linked an IdP to Cloud Manager.
- Mapped an organization to your IdP.
- Created at least one group in your IdP.
- Added at least one user in your IdP application to a group you created.
Add Role Mappings in Your Organization and its Projects¶
Open the Federation Management Console.¶
- Log in to Cloud Manager.
- Use the dropdown at the top-left of Cloud Manager to select the organization for which you want to manage federation settings.
- Click Settings in the left navigation pane.
- In Manage Federation Settings, click Visit Federation Management App.
Choose an organization in which you want to map roles.¶
Click Manage Organizations.
Cloud Manager displays all organizations where you are an
Organization Ownerin a table.- Organizations connected to federated authentication display in the Actions column.
- Organizations unconnected to federated authentication display Connect in the Actions column.
To map roles in an organization:
- Click Connect to enable federated authentication for that organization if needed.
- Click and select View.
Assign Cloud Manager organization roles to the desired IdP group.¶
At the Map Group and Assign Roles stage:
| Section | Action |
|---|---|
| Enter Group Name | Type the name of the group as it is displayed in your IdP in this field. Cloud Manager assigns this group to your Cloud Manager role. Note If the IdP group doesn’t exist, you can’t enter a new group name to create a new IdP group. |
| Assign Organization Roles | Click on each Cloud Manager organization role that you want to assign to the IdP group. |
- If you don’t need to assign any Cloud Manager project roles to this IdP group, click Finish. You can skip the rest of this procedure.
- If you need to assign Cloud Manager project roles to this IdP group, click Next.
Assign project roles to the desired IdP group.¶
The Assign Project Roles stage displays a table. This table includes project names and the roles you can assign for those projects. For each project, click the project roles that you want to assign to the IdP group.
- If you don’t need to review the roles assigned to this IdP group, click Finish. You can skip the rest of this procedure.
- If you need to review the roles assigned to this IdP group, click Next.
Verify which roles have been assigned to the desired IdP group.¶
The Review and Confirm stage displays the organization and project roles assigned to the IdP group.
- If you agree with the roles assigned to this IdP group, click Finish.
- If you need to change the roles assigned to this IdP group, click pencil icon . Cloud Manager returns to the Map Group and Assign Roles stage, described in step 4.
Edit Role Mappings in Your Organization and its Projects¶
Open the Federation Management Console.¶
- Log in to Cloud Manager.
- Use the dropdown at the top-left of Cloud Manager to select the organization for which you want to manage federation settings.
- Click Settings in the left navigation pane.
- In Manage Federation Settings, click Visit Federation Management App.
Choose an organization in which you want to edit role mappings.¶
Click Manage Organizations.
Cloud Manager displays all organizations where you are an
Organization Ownerin a table.Click next to the desired IdP Group Name and select View.
Navigate to the Create Role Mapping For Your Users page.¶
Click Create Role Mappings.
Cloud Manager displays the Organization Role Mappings page.
Click pencil icon to the right of the IdP group you want to change.
Cloud Manager displays the Edit Your Role Mapping For This Organization page.
Change Cloud Manager organization roles in the desired IdP group.¶
At the Map Group and Assign Roles stage:
| Section | Action |
|---|---|
| Enter Group Name | Type the name of the group as it is displayed in your IdP in this field. Cloud Manager assigns this group to your Cloud Manager role. Note If the IdP group doesn’t exist, you can’t enter a new group name to create a new IdP group. |
| Assign Organization Roles | Click on each Cloud Manager organization role that you want to assign to the IdP group. |
- If you don’t need to assign any Cloud Manager project roles to this IdP group, click Finish. You can skip the rest of this procedure.
- If you need to assign Cloud Manager project roles to this IdP group, click Next.
Assign Cloud Manager project roles to the desired IdP group.¶
The Assign Project Roles stage displays a table. This table includes project names and the roles you can assign for those projects. For each project, click the project roles that you want to assign to the IdP group.
- If you don’t need to review the roles assigned to this IdP group, click Finish. You can skip the rest of this procedure.
- If you need to review the roles assigned to this IdP group, click Next.
Verify which Cloud Manager roles have been assigned to the desired IdP group.¶
The Review and Confirm stage displays the organization and project roles assigned to the IdP group.
- If you agree with the roles assigned to this IdP group, click Finish.
- If you need to change the roles assigned to this IdP group, click pencil icon . Cloud Manager returns to the Map Group and Assign Roles stage, described in step 4.
Remove One Role Mapping in Your Organization and its Projects¶
Open the Federation Management Console.¶
- Log in to Cloud Manager.
- Use the dropdown at the top-left of Cloud Manager to select the organization for which you want to manage federation settings.
- Click Settings in the left navigation pane.
- In Manage Federation Settings, click Visit Federation Management App.
Choose an organization in which you want to remove role mappings.¶
Click Manage Organizations.
Cloud Manager displays all organizations where you are an
Organization Ownerin a table.- Organizations connected to federated authentication display in the Actions column.
- Organizations unconnected to federated authentication display Connect in the Actions column.
To map roles in an organization:
- Click Connect to enable federated authentication for that organization if needed.
- Click and select View.