Manage Organization Mapping for Federated Authentication
On this page
- OAuth 2.0 authentication for programmatic access to Cloud Manager is available as a Preview feature.
- The feature and the corresponding documentation might change at any time during the Preview period. To use OAuth 2.0 authentication, create a service account to use in your requests to the Cloud Manager Public API.
When you map organizations to your Identity Provider, Cloud Manager grants users who authenticate through the IdP membership in the selected organizations. You can give these users a default role in the mapped organizations. Organization mapping lets you configure a single IdP to grant users access to multiple Cloud Manager organizations.
You can apply the same IdP to multiple organizations. You can assign each organization a single IdP.
Prerequisites
To complete this tutorial, you must have already linked an IdP to Cloud Manager and mapped one or more domains to that IdP. For instructions on these procedures, see:
Federation Management Access
You can manage federated authentication from the Federation
Management Console. You can access the console as long as you are an
Organization Owner
in one or more organizations that are
delegating federation settings to the instance.
Map an Organization to your Identity Provider
Note
MongoDB Cloud Manager creates an Organization's IdP certificate is about to expire alert automatically when you map an organization to an IdP provider. If you remove the mapping, MongoDB Cloud Manager deletes all instances of this alert.
In MongoDB Cloud Manager, go to the Organization Settings page.
If it's not already displayed, select your desired organization from the Organizations menu in the navigation bar.
Click the Organization Settings icon next to the Organizations menu.
The Organization Settings page displays.
Connect an organization to the Federation Application.
Click View Organizations.
Cloud Manager displays all organizations where you are an
Organization Owner
.Organizations which are not already connected to the Federation Application have Connect button in the Actions column.
Click the desired organization's Connect button.
Apply an Identity Provider to the organization.
From the Organizations screen in the management console:
Click the Name of the organization you want to map to an IdP.
On the Identity Provider screen, click Apply Identity Provider.
Cloud Manager directs you to the Identity Providers screen which shows all IdPs you have linked to Cloud Manager.
For the IdP you want to apply to the organization, click Modify.
At the bottom of the Edit Identity Provider form, select the organizations to which this IdP applies.
Click Next.
Click Finish.
Change an Organization's Mapped Identity Provider
Reconfigure your IdP to change the organizations to which it's mapped.
Unmap the current Identity Provider.
Click Organizations in the left navigation.
Click the Identity Provider of the organization whose IdP you wish to change.
Click Modify for the IdP which is currently mapped to the organization.
At the bottom of the Edit Identity Provider form, deselect the organization.
Click Next.
Click Finish.
(Optional) Configure Advanced Options for Your Organization
The following optional settings provide even greater control over user management and authentication in your organization.
Assign a Default User Role for Your Organization
You can assign users who authenticate through the IdP a default role in a mapped organization. Configuring this option ensures that users who authenticate through your IdP have the same set of permissions. This setting is not required for organization mapping.
For instructions on assigning a default role, see Assign a Default User Role for an Organization.
Note
The selected role only applies to users who authenticate through the IdP if they do not already have a role in the organization.
Restrict Access to an Organization by Domain
You can restrict access to your organization to an approved list of domains. This allows you to set the domains from which organization users can login without needing to directly map those domains to your IdP.
For instructions on restricting access by domain, see Restrict Access to an Organization by Domain.
Disconnect an Organization from the Federation Application
When you disconnect an organization from the Federation Application, Cloud Manager no longer grants membership or a default organization role to users who authenticate through the IdP.
From the Federation Management Console: