Docs Menu
Docs Home
/
MongoDB Atlas
/ / /

Configure Federated Authentication from Okta

On this page

  • Required Access
  • Prerequisites
  • Procedures
  • Configure Okta as an Identity Provider
  • (Optional) Map an Organization
  • (Optional) Configure Advanced Federated Authentication Options
  • Sign in to Atlas Using Your Login URL

This guide shows you how to configure federated authentication using Okta as your IdP.

After integrating Okta and Atlas, you can use your company's credentials to log in to Atlas and other MongoDB cloud services.

Note

If you are using Okta's built-in MongoDB Cloud app, you can use Okta's documentation.

If you are creating your own SAML app, use the procedures described here.

To manage federated authentication, you must have Organization Owner access to one or more organizations that are delegating federation settings to the instance.

To use Okta as an IdP for Atlas, you must have:

  • An Okta account.

  • A custom, routable domain name.

Throughout the following procedure, it is helpful to have one browser tab open to your Atlas Federation Management Console and one tab open to your Okta account.

1

Download your Okta origination certificate.

  1. In your Okta account, click Admin in the upper right corner to access the Administrator environment.

  2. In the left-hand pane, navigate to Applications -> Applications.

  3. Click Create App Integration. Select SAML 2.0 for the Sign-in method and click Next.

  4. Fill in the App name text field with your desired application name.

  5. Optionally, add a logo image and set app visibility. Click Next.

  6. On the Configure SAML screen, enter the following information:

    Field
    Value

    Single sign-on URL

    http://localhost

    Audience URI

    urn:idp:default

    Important

    These are placeholder values and are not intended for use in production. You will replace them in a later step.

    Leave the other fields empty or set to their default values and click Next at the bottom of the page.

  7. On the Feedback screen, select I'm an Okta customer adding an internal app and click Finish.

  8. At the bottom of the page under the heading SAML Signing Certificates, locate the newest certificate with a Status of Active--this is the certificate you just created.

    Click Actions and select Download certificate from the drop-down menu. The generated certificate is a .cert file. You must convert it to a .pem certificate for use later in this procedure. To do this, open a terminal of your choosing and run the following:

    openssl x509 -in path/to/mycert.crt -out path/to/mycert.pem -outform PEM
2
  1. In Atlas, go to the Organization Settings page.

    1. If it's not already displayed, select your desired organization from the Organizations menu in the navigation bar.

    2. Click the Organization Settings icon next to the Organizations menu.

      The Organization Settings page displays.

  2. In Federated Authentication Settings, click Open Federation Management App.

3
  1. Click Identity Providers in the left-hand pane. If you have previously configured an IdP, click Add Identity Provider in the upper-right corner of the page, then click Setup Identity Provider. If you have not previously configured an IdP, click Setup Identity Provider.

  2. On the Configure Identity Provider screen, enter the following information:

    Field
    Value

    Configuration Name

    Descriptive label that identifies the configuration

    Issuer URI

    Fill with Placeholder Values

    Single Sign-On URL

    Fill with Placeholder Values

    Identity Provider Signature Certificate

    Certificate you received from Okta in a prior step

    Request Binding

    HTTP POST

    Response Signature Algorithm

    SHA-256

  3. Click the Next button to see the values for the Okta configuration.

  4. Click Finish.

4
  1. In your Okta account, return to the page for your SAML application and ensure the General tab is selected.

  2. In the SAML Settings pane, click Edit.

  3. On the General Settings page, click Next.

  4. On the Configure SAML screen, enter the following information:

    Okta Data Field
    Value

    Single sign on URL

    Assertion Consumer Service URL from the Atlas FMC.

    Checkboxes:

    • Check Use this for Recipient URL and Destination URL.

    • Clear Allow this app to request other SSO URLs.

    Audience URI (SP Entity ID)

    Audience URI from the Atlas FMC.

    Default RelayState

    Optionally, add a RelayState URL to your IdP to send users to a URL you choose and avoid unnecessary redirects after login. You can use:

    Destination
    RelayState URL

    MongoDB Atlas

    Login URL generated for your identity provider configuration in the Atlas Federation Management App.

    MongoDB Support Portal

    https://auth.mongodb.com/app/salesforce/exk1rw00vux0h1iFz297/sso/saml

    MongoDB University

    https://auth.mongodb.com/home/mongodb_thoughtindustriesstaging_1/0oadne22vtcdV5riC297/alndnea8d6SkOGXbS297

    MongoDB Community Forums

    https://auth.mongodb.com/home/mongodbexternal_communityforums_3/0oa3bqf5mlIQvkbmF297/aln3bqgadajdHoymn297

    MongoDB Feedback Engine

    https://auth.mongodb.com/home/mongodbexternal_uservoice_1/0oa27cs0zouYPwgj0297/aln27cvudlhBT7grX297

    MongoDB JIRA

    https://auth.mongodb.com/app/mongodbexternal_mongodbjira_1/exk1s832qkFO3Rqox297/sso/saml

    Name ID format

    Unspecified

    Application username

    Email

    Update application username on

    Create and update

  5. Click the Click Show Advanced Settings link in the Okta configuration page and ensure that the following values are set:

    Okta Data Field
    Value

    Response

    Signed

    Assertion Signature

    Signed

    Signature Algorithm

    RSA-SHA256

    Digest Algorithm

    SHA256

    Assertion Encryption

    Unencrypted

  6. Leave the remaining Advanced Settings fields in their default state.

  7. Scroll down to the Attribute Statements (optional) section and create four attributes with the following values:

    Name
    Name Format
    Value

    firstName

    Unspecified

    user.firstName

    lastName

    Unspecified

    user.lastName

    Important

    The values in the Name column are case-sensitive. Enter them exactly as shown.

    Note

    These values may be different if Okta is connected to an Active Directory. For the appropriate values, use the Active Directory fields that contain a user's first name, last name, and full email address.

  8. (Optional) If you plan to use role mapping, scroll down to the Group Attribute Statements (optional) section and create an attribute with the following values:

    Name
    Name Format
    Filter
    Value

    memberOf

    Unspecified

    Matches regex

    .*

    This filter matches all group names associated with the user. To filter the group names sent to Atlas further, adjust the Filter and Value fields.

  9. Click Next at the bottom of the page.

  10. On the Feedback screen, click Finish.

5

Replace placeholder values in the Atlas FMC.

  1. On the Okta application page, click View Setup Instructions in the middle of the page.

  2. In the Atlas FMC, navigate to the Identity Providers page. Locate your Okta and click Edit.

  3. Replace the placeholder values in the following fields:

    FMC Data Field
    Value

    Issuer URI

    Identity Provider Issuer value from the Okta Setup Instructions page.

    Single Sign-on URL

    Identity Provider Single Sign-On URL value from the Okta Setup Instructions page.

    Identity Provider Signature Certificate

    Copy the X.509 Certificate from the Okta Setup Instructions page and paste the contents directly.

  4. Click Next.

  5. Click Finish.

6

Assign users to your Okta application.

  1. On the Okta application page, click the Assignments tab.

  2. Ensure that all your Atlas organization users who will use Okta are enrolled.

Mapping your domain to the IdP lets Atlas know that users from your domain should be directed to the Login URL for your identity provider configuration.

When users visit the Atlas login page, they enter their email address. If the email domain is associated with an IdP, they are sent to the Login URL for that IdP.

Important

You can map a single domain to multiple identity providers. If you do, users who log in using the MongoDB Cloud console are automatically redirected to the first matching IdP mapped to the domain.

To log in using an alternative identity provider, users must either:

  • Initiate the MongoDB Cloud login through the desired IdP, or

  • Log in using the Login URL associated with the desired IdP.

Use the Federation Management Console to map your domain to the IdP:

1

Open the FMC.

  1. In Atlas, go to the Organization Settings page.

    1. If it's not already displayed, select your desired organization from the Organizations menu in the navigation bar.

    2. Click the Organization Settings icon next to the Organizations menu.

      The Organization Settings page displays.

  2. In Manage Federation Settings, click Open Federation Management App.

2

Enter domain mapping information.

  1. Click Add a Domain.

  2. On the Domains screen, click Add Domain.

  3. Enter the following information for your domain mapping:

    Field
    Description

    Display Name

    Label to easily identify the domain.

    Domain Name

    Domain name to map.

  4. Click Next.

3

Choose your domain verification method.

Note

You can choose the verification method once. It cannot be modified. To select a different verification method, delete and recreate the domain mapping.

Select the appropriate tab based on whether you are verifying your domain by uploading an HTML file or creating a DNS TXT record:

Upload an HTML file containing a verification key to verify that you own your domain.

  1. Click HTML File Upload.

  2. Click Next.

  3. Download the mongodb-site-verification.html file that Atlas provides.

  4. Upload the HTML file to a web site on your domain. You must be able to access the file at <https://host.domain>/mongodb-site-verification.html.

  5. Click Finish.

Create a DNS TXT record with your domain provider to verify that you own your domain. Each DNS record associates a specific Atlas organization with a specific domain.

  1. Click DNS Record.

  2. Click Next.

  3. Copy the provided TXT record. The TXT record has the following form:

    mongodb-site-verification=<32-character string>
  4. Log in to your domain name provider (such as GoDaddy.com or networksolutions.com).

  5. Add the TXT record that Atlas provides to your domain.

  6. Return to Atlas and click Finish.

4

Verify your domain.

The Domains screen displays both unverified and verified domains you've mapped to your IdP. To verify your domain, click the target domain's Verify button. Atlas shows whether the verification succeeded in a banner at the top of the screen.

After successfully verifying your domain, use the Federation Management Console to associate the domain with Okta:

1

Click Identity Providers in the left navigation.

2

For the IdP you want to associate with your domain, click Edit next to Associated Domains.

3

Select the domain you want to associate with the IdP.

4

Click Confirm.

Important

Before you begin testing, copy and save the Bypass SAML Mode URL for your IdP. Use this URL to bypass federated authentication in the event that you are locked out of your Atlas organization.

While testing, keep your session logged in to the Federation Management Console to further ensure against lockouts.

To learn more about Bypass SAML Mode, see Bypass SAML Mode.

Use the Federation Management Console to test the integration between your domain and Okta:

1

In a private browser window, navigate to the Atlas log in page.

2

Enter a username (usually an email address) with your verified domain.

Example

If your verified domain is mongodb.com, use an email address of the form username@mongodb.com.

3

Click Next. If you mapped your domain correctly, you'll be redirected to your IdP to authenticate. Upon successful authentication, you'll be redirected back to Atlas.

Note

You can bypass the Atlas log in page by navigating directly to your IdP Login URL.

Use the Federation Management Console to assign your domain's users access to specific Atlas organizations:

1
  1. If it's not already displayed, select your desired organization from the Organizations menu in the navigation bar.

  2. Click the Organization Settings icon next to the Organizations menu.

    The Organization Settings page displays.

2

In Manage Federation Settings, click Open Federation Management App.

3
  1. Click View Organizations.

    Atlas displays all organizations where you are an Organization Owner.

    Organizations which are not already connected to the Federation Application have Connect button in the Actions column.

  2. Click the desired organization's Connect button.

4

From the Organizations screen in the management console:

  1. Click the Name of the organization you want to map to an IdP.

  2. On the Identity Provider screen, click Apply Identity Provider.

    Atlas directs you to the Identity Providers screen which shows all IdPs you have linked to Atlas.

  3. For the IdP you want to apply to the organization, click Add Organizations.

  4. In the Apply Identity Provider to Organizations modal, select the organizations to which this IdP applies.

  5. Click Confirm.

5
  1. Click Organizations in the left navigation.

  2. In the list of Organizations, ensure that your desired organizations now have the expected Identity Provider.

You can configure the following advanced options for federated authentication for greater control over your federated users and authentication flow:

Note

The following advanced options for federated authentication require you to map an organization.

All users you assigned to the Okta application can log in to Atlas using their Okta credentials on the Login URL. Users have access to the organizations you mapped to your IdP.

Important

You can map a single domain to multiple identity providers. If you do, users who log in using the MongoDB Cloud console are automatically redirected to the first matching IdP mapped to the domain.

To log in using an alternative identity provider, users must either:

  • Initiate the MongoDB Cloud login through the desired IdP, or

  • Log in using the Login URL associated with the desired IdP.

If you selected a default organization role, new users who log in to Atlas using the Login URL have the role you specified.

Back

Google Workspace