Docs Menu
Docs Home
/
MongoDB Atlas
/
Configure UI Access
/
Authentication
/
Federated

Configure Federated Authentication from PingOne

On this page

  • Required Access
  • Prerequisites
  • Procedures
  • Configure PingOne as an Identity Provider
  • (Optional) Map an Organization
  • (Optional) Configure Advanced Federated Authentication Options
  • Sign in to Atlas Using Your Login URL

This guide shows you how to configure federated authentication using PingOne as your IdP.

After integrating PingOne and Atlas, you can use your company's credentials to log in to Atlas and other MongoDB cloud services.

Required Access

To manage federated authentication, you must have Organization Owner access to one or more organizations that are delegating federation settings to the instance.

Prerequisites

To use PingOne as an IdP for Atlas, you must have:

  • A PingOne subscription. To obtain a subscription, visit PingOne.

  • A PingOne user with administrative privileges. To grant a user administrative privileges, see Managing administrators. Alternatively, you cam use the default administrative user created upon activation of your PingOne account.

Procedures

Configure PingOne as an Identity Provider

Use the PingOne admin console to configure PingOne as a SAML IdP.

1

Download your PingOne origination certificate.

  1. In your PingOne account, log in to the Administrator environment.

  2. In the top navigation bar, click Setup.

  3. In the secondary navigation bar, click Certificates. A PingOne Account Origination Certificate with an expiration date displays.

  4. Click the expander arrow to the right of the expiration date and click Download.

2

Configure the SAML application.

  1. In the top navigation bar, click Applications.

  2. In the My Applications tab, click the Add Application dropdown menu and select New SAML Application.

  3. Enter a name to identify the app, such as "MongoDB Atlas", in the Application Name field.

  4. Enter a description of the application in the Application Description field.

  5. Select a category for the application from the Category drop-down menu.

  6. Click Continue to Next Step.

3

Open the Federation Management Console.

  1. In Atlas, go to the Organization Settings page.

    1. If it's not already displayed, select your desired organization from the Organizations menu in the navigation bar.

    2. Click the Organization Settings icon next to the Organizations menu.

      The Organization Settings page displays.

  2. In Federated Authentication Settings, click Open Federation Management App.

4

Provide PingOne credentials to Atlas.

  1. Click Identity Providers in the left-hand pane. If you have previously configured an IdP, click Add Identity Provider in the upper-right corner of the page, then click Setup Identity Provider. If you have not previously configured an IdP, click Setup Identity Provider.

  2. On the Configure Identity Provider screen, enter the following information:

    Field
    Value
    Configuration Name
    Descriptive label that identifies the configuration
    Issuer URI
    Fill with Placeholder Values
    Single Sign-On URL
    Fill with Placeholder Values
    Identity Provider Signature Certificate
    Certificate you received from PingOne in a prior step
    Request Binding
    HTTP POST
    Response Signature Algorithm
    SHA-256

  3. Click the Next button to see the values for the PingOne configuration.

5

On the PingOne configuration page, click I have the SAML configuration at the top and enter the values from the Atlas FMC.

Field
Value
Signing Certificate
Certificate that you received from PingOne in a prior step
Protocol Version
SAML v2.0
Assertion Consumer Service
The Assertion Consumer Service URL from the Atlas FMC
Entity ID
The Audience URI from the Atlas FMC
Application URL
Leave blank
Single Logout Endpoint
Leave blank
Single Logout Response Endpoint
Leave blank
Single Logout Binding Type
Leave blank
Primary Verification Certificate
Do not select a certificate.
Encrypt Assertion
Unchecked
Signing
Sign Assertion
Signing Algorithm
RSA_SHA256
Force Re-authentication
Unchecked
6

In the PingOne configuration, click Continue to Next Step.

7

Add application attributes.

  1. For each attribute, click Add new attribute.

  2. Provide the following values for the application attributes:

    Application Attribute
    Identity Bridge Attribute or Literal Value
    As Literal
    SAML_SUBJECT
    Email
    Unchecked
    firstName
    First Name
    Unchecked
    lastName
    Last Name
    Unchecked

  3. For each attribute, click Advanced.

  4. Add your Name ID Format.

    You can have the following formats:

    • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

    • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  5. Click Continue to Next Step.

8

Add the user groups for which you wish to enable federated authentication and click Continue to Next Step.

9

On the Review Setup page, note the Issuer and idpid values for use in a later step.

10

In the Atlas FMC, click Finish. On the Identity Providers screen, click Modify for the PingOne provider you created earlier.

11

Replace the placeholder values you assigned earlier with the following values:

Field
Value
Issuer URI
Issuer value that you noted earlier.
Single Sign-On URL
URL that connects to Single Sign-On: https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=<IDP_ID> where <IDP_ID> is the idpid value you noted earlier.
12

Click Next, then click Finish.

13

On the PingOne configuration page, click Finish.

Map your Domain

Mapping your domain to the IdP lets Atlas know that users from your domain should be directed to the Login URL for your identity provider configuration.

When users visit the Atlas login page, they enter their email address. If the email domain is associated with an IdP, they are sent to the Login URL for that IdP.

Important

You can map a single domain to multiple identity providers. If you do, users who log in using the MongoDB Cloud console are automatically redirected to the first matching IdP mapped to the domain.

To log in using an alternative identity provider, users must either:

  • Initiate the MongoDB Cloud login through the desired IdP, or

  • Log in using the Login URL associated with the desired IdP.

Use the Federation Management Console to map your domain to the IdP:

1

Open the FMC.

  1. In Atlas, go to the Organization Settings page.

    1. If it's not already displayed, select your desired organization from the Organizations menu in the navigation bar.

    2. Click the Organization Settings icon next to the Organizations menu.

      The Organization Settings page displays.

  2. In Manage Federation Settings, click Open Federation Management App.

2

Enter domain mapping information.

  1. Click Add a Domain.

  2. On the Domains screen, click Add Domain.

  3. Enter the following information for your domain mapping:

    Field
    Description
    Display Name
    Label to easily identify the domain.
    Domain Name
    Domain name to map.

  4. Click Next.

3

Choose your domain verification method.

Note

You can choose the verification method once. It cannot be modified. To select a different verification method, delete and recreate the domain mapping.

Select the appropriate tab based on whether you are verifying your domain by uploading an HTML file or creating a DNS TXT record:

Upload an HTML file containing a verification key to verify that you own your domain.

  1. Click HTML File Upload.

  2. Click Next.

  3. Download the mongodb-site-verification.html file that Atlas provides.

  4. Upload the HTML file to a web site on your domain. You must be able to access the file at <https://host.domain>/mongodb-site-verification.html.

  5. Click Finish.

Create a DNS TXT record with your domain provider to verify that you own your domain. Each DNS record associates a specific Atlas organization with a specific domain.

  1. Click DNS Record.

  2. Click Next.

  3. Copy the provided TXT record. The TXT record has the following form:

    mongodb-site-verification=<32-character string>

  4. Log in to your domain name provider (such as GoDaddy.com or networksolutions.com).

  5. Add the TXT record that Atlas provides to your domain.

  6. Return to Atlas and click Finish.

4

Verify your domain.

The Domains screen displays both unverified and verified domains you've mapped to your IdP. To verify your domain, click the target domain's Verify button. Atlas shows whether the verification succeeded in a banner at the top of the screen.

Associate Your Domain with Your Identity Provider

After successfully verifying your domain, use the Federation Management Console to associate the domain with PingOne:

1

Click Identity Providers in the left navigation.

2

For the IdP you want to associate with your domain, click Edit next to Associated Domains.

3

Select the domain you want to associate with the IdP.

4

Click Confirm.

Test Your Domain Mapping

Important

Before you begin testing, copy and save the Bypass SAML Mode URL for your IdP. Use this URL to bypass federated authentication in the event that you are locked out of your Atlas organization.

While testing, keep your session logged in to the Federation Management Console to further ensure against lockouts.

To learn more about Bypass SAML Mode, see Bypass SAML Mode.

Use the Federation Management Console to test the integration between your domain and PingOne:

1

In a private browser window, navigate to the Atlas log in page.

2

Enter a username (usually an email address) with your verified domain.

Example

If your verified domain is mongodb.com, use an email address of the form username@mongodb.com.

3

Click Next. If you mapped your domain correctly, you'll be redirected to your IdP to authenticate. Upon successful authentication, you'll be redirected back to Atlas.

Note

You can bypass the Atlas log in page by navigating directly to your IdP Login URL.

(Optional) Map an Organization

Use the Federation Management Console to assign your domain's users access to specific Atlas organizations:

1

In Atlas, go to the Organization Settings page.

  1. If it's not already displayed, select your desired organization from the Organizations menu in the navigation bar.

  2. Click the Organization Settings icon next to the Organizations menu.

    The Organization Settings page displays.

2

Open the Federation Management Console.

In Manage Federation Settings, click Open Federation Management App.

3

Connect an organization to the Federation Application.

  1. Click View Organizations.

    Atlas displays all organizations where you are an Organization Owner.

    Organizations which are not already connected to the Federation Application have Connect button in the Actions column.

  2. Click the desired organization's Connect button.

4

Apply an Identity Provider to the organization.

From the Organizations screen in the management console:

  1. Click the Name of the organization you want to map to an IdP.

  2. On the Identity Provider screen, click Apply Identity Provider.

    Atlas directs you to the Identity Providers screen which shows all IdPs you have linked to Atlas.

  3. For the IdP you want to apply to the organization, click Add Organizations.

  4. In the Apply Identity Provider to Organizations modal, select the organizations to which this IdP applies.

  5. Click Confirm.

5

Connect an organization to the Federation Application.

  1. Click Organizations in the left navigation.

  2. In the list of Organizations, ensure that your desired organizations now have the expected Identity Provider.

(Optional) Configure Advanced Federated Authentication Options

You can configure the following advanced options for federated authentication for greater control over your federated users and authentication flow:

Note

The following advanced options for federated authentication require you to map an organization.

Sign in to Atlas Using Your Login URL

All users that you assign to the PingOne application can log in to Atlas using their PingOne credentials on the Login URL. Users have access to the organizations you mapped to your IdP.

Important

You can map a single domain to multiple identity providers. If you do, users who log in using the MongoDB Cloud console are automatically redirected to the first matching IdP mapped to the domain.

To log in using an alternative identity provider, users must either:

  • Initiate the MongoDB Cloud login through the desired IdP, or

  • Log in using the Login URL associated with the desired IdP.

If you select a default organization role, new users who log in to Atlas using the Login URL have the role you specify.

Back

Okta

Next

Advanced Options