Configure Federated Authentication from Okta
On this page
This guide shows you how to configure federated authentication using Okta as your IdP.
After integrating Okta and Atlas, you can use your company's credentials to log in to Atlas and other MongoDB cloud services.
If you are using Okta's built-in MongoDB Cloud app, you can use Okta's documentation.
If you are creating your own SAML app, use the procedures described here.
Prerequisites
To use Okta as an IdP for Atlas, you must have:
- An Okta account.
- A custom, routable domain name.
Procedures
Throughout the following procedure, it is helpful to have one browser tab open to your Atlas Federation Management Console and one tab open to your Okta account.
Configure Okta as an Identity Provider
Enter SAML settings
In the FMC dashboard, fill in the data fields with the following values:
FieldValueConfiguration NameA descriptive name of your choosing.Issuer URI and Single Sign-On URLClick the Fill With Placeholder Values button to the right of the text fields. You will get the real values from Okta in a later step.Identity Provider Signature CertificateProvide the the
.cer
file you received from Okta earlier.You can either:
- Upload the certificate from your computer, or
- Paste the contents of the certificate into a text box.
Request BindingHTTP POSTResponse Signature AlgorithmSHA-256- Click the Next button.
Create SAML Integration
In this step, copy values from the Atlas FMC to the Okta Create SAML Integration page.
Okta Data FieldValueSingle sign on URLUse the Assertion Consumer Service URL from the Atlas FMC.
Checkboxes:
- Check Use this for Recipient URL and Destination URL.
- Clear Allow this app to request other SSO URLs.
Audience URI (SP Entity ID)Use the Audience URI from the Atlas FMC.Default RelayStateOptionally, add a RelayState URL to your IdP to send users to a URL you choose and avoid unnecessary redirects after login. You can use:
DestinationRelayState URLMongoDB AtlasThe Login URL that was generated for your identity provider configuration in the Atlas Federation Management App.MongoDB Support Portalhttps://auth.mongodb.com/app/salesforce/exk1rw00vux0h1iFz297/sso/saml MongoDB Universityhttps://university.mongodb.com MongoDB Community Forumshttps://auth.mongodb.com/home/mongodbexternal_communityforums_3/0oa3bqf5mlIQvkbmF297/aln3bqgadajdHoymn297 MongoDB Feedback Enginehttps://auth.mongodb.com/home/mongodbexternal_uservoice_1/0oa27cs0zouYPwgj0297/aln27cvudlhBT7grX297 MongoDB JIRAhttps://auth.mongodb.com/app/mongodbexternal_mongodbjira_1/exk1s832qkFO3Rqox297/sso/saml Name ID formatUnspecifiedApplication usernameEmailUpdate application username onCreate and updateClick the Click Show Advanced Settings link in the Okta configuration page and ensure that the following values are set:
Okta Data FieldValueResponseSignedAssertion SignatureSignedSignature AlgorithmRSA-SHA256Digest AlgorithmSHA256Assertion EncryptionUnencrypted- Leave the remaining Advanced Settings fields in their default state.
Scroll down to the Attribute Statements (optional) section and create four attributes with the following values:
NameName FormatValueemailUnspecifieduser.emailfirstNameUnspecifieduser.firstNamelastNameUnspecifieduser.lastNameImportantThe values in the Name column are case-sensitive. Enter them exactly as shown.
NoteThese values may be different if Okta is connected to an Active Directory. For the appropriate values, use the Active Directory fields that contain a user's first name, last name, and full email address.
(Optional) If you plan to use role mapping, scroll down to the Group Attribute Statements (optional) section and create an attribute with the following values:
NameName FormatFilterValuememberOfUnspecifiedMatches regex.*
This filter matches all group names associated with the user. To filter the group names sent to Atlas further, adjust the Filter and Value fields.
- Click the Next button in the Okta configuration.
- Select the radio button marked I'm an Okta customer adding an internal app.
- Click the Finish button.
Copy information back to the Atlas FMC
On the Okta application page, click View Setup Instructions in the middle of the page.
NoteThe Okta setup instructions appear in a new browser tab.
- In the Atlas FMC, click the Finish button to return to the Identity Providers page. Click the Modify button for your newly created IdP.
Fill in the following text fields:
FMC Data FieldValueIssuer URIUse the Identity Provider Issuer value from the Okta Setup Instructions page.Single Sign-on URLUse the Identity Provider Single Sign-On URL value from the Okta Setup Instructions page.- Close the Okta setup instructions browser tab.
- Click the Next button on the Atlas FMC page.
- Click the Finish button the FMC Edit Identity Provider page.
Map your Domain
Mapping your domain to the IdP lets Atlas know that users from your domain should be directed to the Login URL for your identity provider configuration.
When users visit the Atlas login page, they enter their email address. If the email domain is associated with an IdP, they are sent to the Login URL for that IdP.
You can map a single domain to multiple identity providers. If you do, users who log in using the MongoDB Cloud console are automatically redirected to the first matching IdP mapped to the domain.
To log in using an alternative identity provider, users must either:
- Initiate the MongoDB Cloud login through the desired IdP, or
- Log in using the Login URL associated with the desired IdP.
Use the Federation Management Console to map your domain to the IdP:
Enter domain mapping information.
- Click Add a Domain.
- On the Domains screen, click Add Domain.
Enter the following information for your domain mapping:
FieldDescriptionDisplay NameName to easily identify the domain.Domain NameDomain name to map.- Click Next.
Choose how to verify your domain.
You can choose the verification method once. It cannot be modified. To select a different verification method, delete and recreate the domain mapping.
Select the appropriate tab based on whether you are verifying your domain by uploading an HTML file or creating a DNS TXT record:
Associate Your Domain with Your Identity Provider
After successfully verifying your domain, use the Federation Management Console to associate the domain with Okta:
Test Your Domain Mapping
Before you begin testing, copy and save the Bypass SAML Mode URL for your IdP. Use this URL to bypass federated authentication in the event that you are locked out of your Atlas organization.
While testing, keep your session logged in to the Federation Management Console to further ensure against lockouts.
To learn more about Bypass SAML Mode, see Bypass SAML Mode.
Use the Federation Management Console to test the integration between your domain and Okta:
Click Next.
If you mapped your domain correctly, you're redirected to your IdP to authenticate. If authenticating with your IdP succeeds, you're redirected back to Atlas.
You can bypass the Atlas log in page by navigating directly to your IdP's Login URL. The Login URL takes you directly to your IdP to authenticate.
(Optional) Map an Organization
Use the Federation Management Console to assign your domain's users access to specific Atlas organizations:
Connect an organization to the Federation Application.
Click View Organizations.
Atlas displays all organizations where you are an
Organization Owner
.Organizations which are not already connected to the Federation Application have Connect button in the Actions column.
- Click the desired organization's Connect button.
Apply an Identity Provider to the organization.
From the Organizations screen in the management console:
- Click the Name of the organization you want to map to an IdP.
On the Identity Provider screen, click Apply Identity Provider.
Atlas directs you to the Identity Providers screen which shows all IdPs you have linked to Atlas.
- For the IdP you want to apply to the organization, click Add Organizations.
- In the Apply Identity Provider to Organizations modal, select the organizations to which this IdP applies.
- Click Confirm.
(Optional) Configure Advanced Federated Authentication Options
You can configure the following advanced options for federated authentication for greater control over your federated users and authentication flow:
The following advanced options for federated authentication require you to map an organization.
Sign in to Atlas Using Your Login URL
All users you assigned to the Okta application can log in to Atlas using their Okta credentials on the Login URL. Users have access to the organizations you mapped to your IdP.
You can map a single domain to multiple identity providers. If you do, users who log in using the MongoDB Cloud console are automatically redirected to the first matching IdP mapped to the domain.
To log in using an alternative identity provider, users must either:
- Initiate the MongoDB Cloud login through the desired IdP, or
- Log in using the Login URL associated with the desired IdP.
If you selected a default organization role, new users who log in to Atlas using the Login URL have the role you specified.