Docs Menu

Docs HomeMongoDB Cloud Manager

Configure Federated Authentication from Microsoft Entra ID

On this page

  • Limitations
  • Prerequisites
  • Procedures
  • Add Domain users
  • Configure Microsoft Entra ID as an Identity Provider
  • Add Microsoft Entra ID as an Identity Provider in Cloud Manager
  • (Optional) Map an Organization
  • (Optional) Configure Advanced Federated Authentication Options
  • Sign in to Cloud Manager Using Your Login URL

This guide shows you how to configure federated authentication using Microsoft Entra ID as your IdP.

After integrating Microsoft Entra ID and Cloud Manager, you can use your company's credentials to log in to Cloud Manager and other MongoDB cloud services.

Limitations

Cloud Manager doesn't support single sign-on integration for database users.

Prerequisites

To use Microsoft Entra ID as an IdP for Cloud Manager, you must have:

  • An Azure subscription. To obtain a subscription, visit the Microsoft Azure portal.

  • An Microsoft Entra ID tenant associated with your subscription. For information about setting up an Microsoft Entra ID tenant, see the Microsoft Entra ID Documentation.

  • Global Administrator privileges in your Microsoft Entra ID tenant.

  • A custom, routable domain name.

Procedures

Add Domain users

If you haven't already, use the Azure console to add your custom domain name to Microsoft Entra ID and create users:

1

Add your custom domain to Microsoft Entra ID

Add your custom domain name to Microsoft Entra ID to create users that belong to your domain. After you add your domain, you must also add the Microsoft Entra ID DNS information in a TXT record with your DNS provider and verify the configuration.

To add your custom domain to Microsoft Entra ID, see the Azure documentation.

2

Create Microsoft Entra ID Users.

If they don't exist already, create users in Microsoft Entra ID that you want to grant database access to. Users must belong to the custom domain you added to Microsoft Entra ID.

To create Microsoft Entra ID users, see the Azure documentation.

Configure Microsoft Entra ID as an Identity Provider

Use the Azure console to configure Microsoft Entra ID as a SAML IdP. You can either add the MongoDB Cloud app from the Gallery or configure an application manually.

Add Microsoft Entra ID as an Identity Provider in Cloud Manager

Use the Federation Management Console and the Azure console to add Microsoft Entra ID as an IdP:

1

Open the Federation Management Console.

  1. Log in to Cloud Manager.

  2. Use the dropdown at the top-left of Cloud Manager to select the organization for which you want to manage federation settings.

  3. Click Settings in the left navigation pane.

  4. In Manage Federation Settings, click Visit Federation Management App.

2

Add Microsoft Entra ID to Cloud Manager as an Identity Provider.

  1. Click Add Identity Providers

  2. If you do not have any Identity Providers configured yet, click Setup Identity Provider. Otherwise, On the Identity Providers screen, click Add Identity Provider.

  3. Enter or select the following SAML Protocol Settings. All fields are required:

    Field
    Description
    Configuration Name
    Enter a descriptive name, such as Microsoft Entra ID.
    IdP Issuer URI
    Paste the Microsoft Entra ID Identifier you copied from Azure earlier in the tutorial.
    IdP Single Sign-On URL
    Paste the Login URL you copied from Azure earlier in the tutorial.
    IdP Signature Certificate

    Upload the Base64-encoded SAML signing certificate you downloaded from Azure earlier in the tutorial.

    You can either:

    • Upload the certificate from your computer, or

    • Paste the contents of the certificate into a text box.

    Request Binding
    Select HTTP POST.
    Response Signature Algorithm
    Select SHA-256.

  4. Click Next.

3

Download the metadata file with details that recognize MongoDB as a Service Provider.

  1. Click Download metadata. You upload this file to Microsoft Entra ID in the next step.

  2. Click Finish.

4

Upload the metadata file to Azure to finish configuring Microsoft Entra ID as an IdP.

To upload the file, see the screenshot in step 3 of Enable single sign-on for an app in the Azure documentation. Click Upload metadata file on the SSO configuration page, as shown in the screenshot in the linked Azure documentation.

Optionally, add a RelayState URL to your IdP to send users to a URL you choose and avoid unnecessary redirects after login. You can use:

Destination
RelayState URL
MongoDB MongoDB Cloud Manager
The Login URL that was generated for your identity provider configuration in the MongoDB Cloud Manager Federation Management App.
MongoDB Support Portal
https://auth.mongodb.com/app/salesforce/exk1rw00vux0h1iFz297/sso/saml
MongoDB University
https://university.mongodb.com
MongoDB Community Forums
https://auth.mongodb.com/home/mongodbexternal_communityforums_3/0oa3bqf5mlIQvkbmF297/aln3bqgadajdHoymn297
MongoDB Feedback Engine
https://auth.mongodb.com/home/mongodbexternal_uservoice_1/0oa27cs0zouYPwgj0297/aln27cvudlhBT7grX297
MongoDB JIRA
https://auth.mongodb.com/app/mongodbexternal_mongodbjira_1/exk1s832qkFO3Rqox297/sso/saml

Map your Domain

Mapping your domain to the IdP lets Cloud Manager know that users from your domain should be directed to the Login URL for your identity provider configuration.

When users visit the Cloud Manager login page, they enter their email address. If the email domain is associated with an IdP, they are sent to the Login URL for that IdP.

Important

You can map a single domain to multiple identity providers. If you do, users who log in using the MongoDB Cloud console are automatically redirected to the first matching IdP mapped to the domain.

To log in using an alternative identity provider, users must either:

  • Initiate the MongoDB Cloud login through the desired IdP, or

  • Log in using the Login URL associated with the desired IdP.

Use the Federation Management Console to map your domain to the IdP:

1
Open the Federation Management Console.

  1. Log in to Cloud Manager.

  2. Use the dropdown at the top-left of Cloud Manager to select the organization for which you want to manage federation settings.

  3. Click Settings in the left navigation pane.

  4. In Manage Federation Settings, click Visit Federation Management App.

2
Enter domain mapping information.

  1. Click Add a Domain.

  2. On the Domains screen, click Add Domain.

  3. Enter the following information for your domain mapping:

    Field
    Description
    Display Name
    Name to easily identify the domain.
    Domain Name
    Domain name to map.

  4. Click Next.

3
Choose how to verify your domain.

Note

You can choose the verification method once. It cannot be modified. To select a different verification method, delete and recreate the domain mapping.

Select the appropriate tab based on whether you are verifying your domain by uploading an HTML file or creating a DNS TXT record:

4
Verify your domain.

The Domains screen displays both unverified and verified domains you've mapped to your IdP. To verify your domain, click the target domain's Verify button. Cloud Manager shows whether the verification succeeded in a banner at the top of the screen.

Associate Your Domain with Your Identity Provider

After successfully verifying your domain, use the Federation Management Console to associate the domain with Microsoft Entra ID:

1
Click Identity Providers in the left navigation.
2
For the IdP you want to associate with your domain, click next to Associated Domains.
3
Select the domain you want to associate with the IdP.
4
Click Confirm.

Test Your Domain Mapping

Important

Before you begin testing, copy and save the Bypass SAML Mode URL for your IdP. Use this URL to bypass federated authentication in the event that you are locked out of your Cloud Manager organization.

While testing, keep your session logged in to the Federation Management Console to further ensure against lockouts.

To learn more about Bypass SAML Mode, see Bypass SAML Mode.

Use the Federation Management Console to test the integration between your domain and Microsoft Entra ID:

1
In a private browser window, navigate to the Cloud Manager log in page.
2
Enter a username (usually an email address) with your verified domain.

Example

If your verified domain is mongodb.com, enter alice@mongodb.com.

3
Click Next.

If you mapped your domain correctly, you're redirected to your IdP to authenticate. If authenticating with your IdP succeeds, you're redirected back to Cloud Manager.

Note

You can bypass the Cloud Manager log in page by navigating directly to your IdP's Login URL. The Login URL takes you directly to your IdP to authenticate.

(Optional) Map an Organization

Use the Federation Management Console to assign your domain's users access to specific Cloud Manager organizations:

1

Open the Federation Management Console.

  1. Log in to Cloud Manager.

  2. Use the dropdown at the top-left of Cloud Manager to select the organization for which you want to manage federation settings.

  3. Click Settings in the left navigation pane.

  4. In Manage Federation Settings, click Visit Federation Management App.

2

Connect an organization to the Federation Application.

  1. Click View Organizations.

    Cloud Manager displays all organizations where you are an Organization Owner.

    Organizations which are not already connected to the Federation Application have Connect button in the Actions column.

  2. Click the desired organization's Connect button.

3

Apply an Identity Provider to the organization.

From the Organizations screen in the management console:

  1. Click the Name of the organization you want to map to an IdP.

  2. On the Identity Provider screen, click Apply Identity Provider.

    Cloud Manager directs you to the Identity Providers screen which shows all IdPs you have linked to Cloud Manager.

  3. For the IdP you want to apply to the organization, click Modify.

  4. At the bottom of the Edit Identity Provider form, select the organizations to which this IdP applies.

  5. Click Next.

  6. Click Finish.

4

Connect an organization to the Federation Application.

  1. Click Organizations in the left navigation.

  2. In the list of Organizations, ensure that your desired organization(s) now have the expected Identity Provider.

(Optional) Configure Advanced Federated Authentication Options

You can configure the following advanced options for federated authentication for greater control over your federated users and authentication flow:

Note

The following advanced options for federated authentication require you to map an organization.

Sign in to Cloud Manager Using Your Login URL

All users you assigned to the Azure application can log in to Cloud Manager using their Microsoft Entra ID credentials on the Login URL. Users have access to the organizations you mapped to your IdP.

Important

You can map a single domain to multiple identity providers. If you do, users who log in using the MongoDB Cloud console are automatically redirected to the first matching IdP mapped to the domain.

To log in using an alternative identity provider, users must either:

  • Initiate the MongoDB Cloud login through the desired IdP, or

  • Log in using the Login URL associated with the desired IdP.

If you selected a default organization role, new users who log in to Cloud Manager using the Login URL have the role you specified.

← Manage Mapping Cloud Manager Roles to IdP Groups
Configure Federated Authentication from Okta →

On this page