Leverage Federated Authentication from Kubernetes
Atlas Kubernetes Operator supports using federated authentication for your Atlas organization.
Note
You can't use Atlas Kubernetes Operator to set up an IdP. To set up an IdP, see Configure Database Deployment Authentication and Authorization.
Once you set up your IdP, you can manage the role mappings that authenticate users to use your IdP.
To configure federated authentication through the Atlas Kubernetes Operator, you must
specify and update the AtlasFederatedAuth Custom Resource.
When you create the AtlasFederatedAuth custom resource, Atlas Kubernetes Operator
uses the Federated Authentication API Resource to update
the organization configuration for the federation.
In the organization configuration, you specify federation settings
for your Atlas organization such as organization and role mappings.
The AtlasFederatedAuth Custom Resource is not required to
map database users to an IdP, both any existing authentication IdP or
workload and workforce IdP. You can use the AtlasDatabaseUser
custom resource to manage database users, in which you specify the
authentication method used for a given database user. The
AtlasDatabaseUser custom
resource must be configured in conjunction with federated authentication to associate users and roles in the
IdP with users and groups in MongoDB.
The AtlasFederatedAuth Custom Resource
is optional to use any federated authentication, provided that you have configured it
elsewhere in Atlas.
Prerequisites
Before you can use Atlas Kubernetes Operator to configure federated authentication, you must have:
An existing identity provider (IdP) linked to Atlas. To learn how to link an IdP to Atlas, see Manage Identity Providers.
A secret with API keys that Atlas Kubernetes Operator can use to connect to Atlas. The API keys must have the
Organization Ownerrole.At least one role within an active Atlas organization or the projects in the organization.
Update an Organization Configuration
To configure federated authentication through the Atlas Kubernetes Operator,
update the organization configuration for your federation
by specifying the AtlasFederatedAuth Custom Resource.
The following example configures an AtlasFederatedAuth custom resource
that does the following:
Enables federated authentication for the organization linked to the specified secret.
Adds
my-org-domain.comas an approved domain.Enables domain restriction for the organization.
Disables debugging for SSO.
Grants the
Organization Memberrole to users after authenticating.Maps the
Organization Ownerrole for the organization and applies the role mapping to an IdP group namedorg-admin.Maps the
Organization Project CreatorandProject Ownerroles for a project in the organization nameddev-projectand applies the role mapping to an IdP group nameddev-team.
To learn more, see Parameters.
Note
The spec.roleMappings.roleAssignments parameter must include at least one organization role within the current organization or the projects in the organization.
Example:
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasFederatedAuth metadata: name: atlas-default-federated-auth namespace: mongodb-atlas-system spec: enabled: true dataAccessIdentityProviders: - 32b6e34b3d91647abb20e7b8 - 42d8v92k5a34184rnv93f0c1 connectionSecretRef: name: my-org-secret namespace: mongodb-atlas-system domainAllowList: - my-org-domain.com domainRestrictionEnabled: true ssoDebugEnabled: false postAuthRoleGrants: - ORG_MEMBER roleMappings: - externalGroupName: org-admin roleAssignments: - role: ORG_OWNER - externalGroupName: dev-team roleAssignments: - role: ORG_GROUP_CREATOR - projectName: dev-project role: GROUP_OWNER EOF
To check on the status of the update process, run the following command:
kubectl get atlasfederatedauth -o yaml
Atlas Kubernetes Operator returns the custom resource and includes a status section that resembles the following example:
status: conditions: - type: Ready status: True - type: RolesReady status: True - type: UsersReady status: True
To learn about the available parameters for this resource,
see AtlasFederatedAuth Custom Resource.