Docs Home → MongoDB Cloud Manager
Configure Federated Authentication from Okta
On this page
This guide shows you how to configure federated authentication using Okta as your IdP.
After integrating Okta and Cloud Manager, you can use your company's credentials to log in to Cloud Manager and other MongoDB cloud services.
Note
If you are using Okta's built-in MongoDB Cloud app, you can use Okta's documentation.
If you are creating your own SAML app, use the procedures described here.
Prerequisites
To use Okta as an IdP for Cloud Manager, you must have:
A custom, routable domain name.
Procedures
Throughout the following procedure, it is helpful to have one browser tab open to your Federation Management Console and one tab open to your Okta account.
Configure Okta as an Identity Provider
Download your Okta origination certificate.
In your Okta account, click Admin in the upper right corner to access the Administrator environment.
In the left-hand pane, navigate to Applications -> Applications.
Click Create App Integration. Select SAML 2.0 for the Sign-in method and click Next.
Fill in the App name text field with your desired application name.
Optionally, add a logo image and set app visibility. Click Next.
On the Configure SAML screen, enter the following information:
Field | Value |
---|---|
Single sign-on URL | http://localhost |
Audience URI | urn:idp:default |
Important
These are placeholder values and are not intended for use in production. You will replace them in a later step.
Leave the other fields empty or set to their default values and click Next at the bottom of the page.
On the Feedback screen, select I'm an Okta customer adding an internal app and click Finish.
At the bottom of the page under the heading
SAML Signing Certificates, locate the newest
certificate with a Status of Active
--this
is the certificate you just created.
Click Actions and select
Download certificate from the drop-down menu.
The generated certificate is a .cert
file. You must
convert it to a .pem
certificate for use later in this
procedure. To do this, open a terminal of your choosing and
run the following:
openssl x509 -in path/to/mycert.crt -out path/to/mycert.pem -outform PEM
Open the Federation Management Console.
Log in to MongoDB Cloud Manager.
Use the drop-down at the top-left of MongoDB Cloud Manager to select the organization for which you want to manage federation settings.
Click Settings in the left navigation pane.
In Federated Authentication Settings, click Open Federation Management App.
Provide Okta credentials to MongoDB Cloud Manager.
Click Identity Providers in the left-hand pane. If you have previously configured an IdP, click Add Identity Provider in the upper-right corner of the page, then click Setup Identity Provider. If you have not previously configured an IdP, click Setup Identity Provider.
On the Configure Identity Provider screen, enter the following information:
Field | Value |
---|---|
Configuration Name | Descriptive label that identifies the configuration |
Issuer URI | Fill with Placeholder Values |
Single Sign-On URL | Fill with Placeholder Values |
Identity Provider Signature Certificate | Certificate you received from Okta
in a prior step |
Request Binding | HTTP POST |
Response Signature Algorithm | SHA-256 |
Click the Next button to see the values for the Okta configuration.
Configure your SAML integration.
In your Okta account, return to the page for your SAML application and ensure the General tab is selected.
In the SAML Settings pane, click Edit.
On the General Settings page, click Next.
On the Configure SAML screen, enter the following information:
Okta Data Field | Value | |||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Single sign on URL | Assertion Consumer Service URL from the MongoDB Cloud Manager FMC. Checkboxes:
| |||||||||||||||||||
Audience URI (SP Entity ID) | Audience URI from the MongoDB Cloud Manager FMC. | |||||||||||||||||||
Default RelayState | Optionally, add a RelayState URL to your IdP to send users to a URL you choose and avoid unnecessary redirects after login. You can use:
| |||||||||||||||||||
Name ID format | Unspecified | |||||||||||||||||||
Application username | Email | |||||||||||||||||||
Update application username on | Create and update |
Click the Click Show Advanced Settings link in the Okta configuration page and ensure that the following values are set:
Okta Data Field | Value |
---|---|
Response | Signed |
Assertion Signature | Signed |
Signature Algorithm | RSA-SHA256 |
Digest Algorithm | SHA256 |
Assertion Encryption | Unencrypted |
Leave the remaining Advanced Settings fields in their default state.
Scroll down to the Attribute Statements (optional) section and create four attributes with the following values:
Name | Name Format | Value |
---|---|---|
firstName | Unspecified | user.firstName |
lastName | Unspecified | user.lastName |
Important
The values in the Name column are case-sensitive. Enter them exactly as shown.
Note
These values may be different if Okta is connected to an Active Directory. For the appropriate values, use the Active Directory fields that contain a user's first name, last name, and full email address.
(Optional) If you plan to use role mapping, scroll down to the Group Attribute Statements (optional) section and create an attribute with the following values:
Name | Name Format | Filter | Value |
---|---|---|---|
memberOf | Unspecified | Matches regex | .* |
This filter matches all group names associated with the user. To filter the group names sent to MongoDB Cloud Manager further, adjust the Filter and Value fields.
Click Next at the bottom of the page.
On the Feedback screen, click Finish.
Replace placeholder values in the MongoDB Cloud Manager FMC.
On the Okta application page, click View Setup Instructions in the middle of the page.
In the MongoDB Cloud Manager FMC, navigate to the Identity Providers page. Locate your Okta and click Edit.
Replace the placeholder values in the following fields:
FMC Data Field | Value |
---|---|
Issuer URI | Identity Provider Issuer value from
the Okta Setup Instructions page. |
Single Sign-on URL | Identity Provider Single Sign-On URL
value from the Okta Setup Instructions page. |
Identity Provider Signature Certificate | Copy the X.509 Certificate from the
Okta Setup Instructions page and paste the contents
directly. |
Assign users to your Okta application.
On the Okta application page, click the Assignments tab.
Ensure that all your MongoDB Cloud Manager organization users who will use Okta are enrolled.
Map your Domain
Mapping your domain to the IdP lets Cloud Manager know that users from your domain should be directed to the Login URL for your identity provider configuration.
When users visit the Cloud Manager login page, they enter their email address. If the email domain is associated with an IdP, they are sent to the Login URL for that IdP.
Important
You can map a single domain to multiple identity providers. If you do, users who log in using the MongoDB Cloud console are automatically redirected to the first matching IdP mapped to the domain.
To log in using an alternative identity provider, users must either:
Initiate the MongoDB Cloud login through the desired IdP, or
Log in using the Login URL associated with the desired IdP.
Use the Federation Management Console to map your domain to the IdP:
Open the Federation Management Console.
Log in to Cloud Manager.
Use the dropdown at the top-left of Cloud Manager to select the organization for which you want to manage federation settings.
Click Settings in the left navigation pane.
In Manage Federation Settings, click Visit Federation Management App.
Enter domain mapping information.
Click Add a Domain.
On the Domains screen, click Add Domain.
Enter the following information for your domain mapping:
FieldDescriptionDisplay NameName to easily identify the domain.Domain NameDomain name to map.Click Next.
Choose how to verify your domain.
Note
You can choose the verification method once. It cannot be modified. To select a different verification method, delete and recreate the domain mapping.
Select the appropriate tab based on whether you are verifying your domain by uploading an HTML file or creating a DNS TXT record:
Associate Your Domain with Your Identity Provider
After successfully verifying your domain, use the Federation Management Console to associate the domain with Okta:
Test Your Domain Mapping
Important
Before you begin testing, copy and save the Bypass SAML Mode URL for your IdP. Use this URL to bypass federated authentication in the event that you are locked out of your Cloud Manager organization.
While testing, keep your session logged in to the Federation Management Console to further ensure against lockouts.
To learn more about Bypass SAML Mode, see Bypass SAML Mode.
Use the Federation Management Console to test the integration between your domain and Okta:
Click Next.
If you mapped your domain correctly, you're redirected to your IdP to authenticate. If authenticating with your IdP succeeds, you're redirected back to Cloud Manager.
Note
You can bypass the Cloud Manager log in page by navigating directly to your IdP's Login URL. The Login URL takes you directly to your IdP to authenticate.
(Optional) Map an Organization
Use the Federation Management Console to assign your domain's users access to specific Cloud Manager organizations:
Open the Federation Management Console.
Log in to Cloud Manager.
Use the dropdown at the top-left of Cloud Manager to select the organization for which you want to manage federation settings.
Click Settings in the left navigation pane.
In Manage Federation Settings, click Visit Federation Management App.
Connect an organization to the Federation Application.
Click View Organizations.
Cloud Manager displays all organizations where you are an
Organization Owner
.Organizations which are not already connected to the Federation Application have Connect button in the Actions column.
Click the desired organization's Connect button.
Apply an Identity Provider to the organization.
From the Organizations screen in the management console:
Click the Name of the organization you want to map to an IdP.
On the Identity Provider screen, click Apply Identity Provider.
Cloud Manager directs you to the Identity Providers screen which shows all IdPs you have linked to Cloud Manager.
For the IdP you want to apply to the organization, click Modify.
At the bottom of the Edit Identity Provider form, select the organizations to which this IdP applies.
Click Next.
Click Finish.
(Optional) Configure Advanced Federated Authentication Options
You can configure the following advanced options for federated authentication for greater control over your federated users and authentication flow:
Note
The following advanced options for federated authentication require you to map an organization.
Sign in to Cloud Manager Using Your Login URL
All users you assigned to the Okta application can log in to Cloud Manager using their Okta credentials on the Login URL. Users have access to the organizations you mapped to your IdP.
Important
You can map a single domain to multiple identity providers. If you do, users who log in using the MongoDB Cloud console are automatically redirected to the first matching IdP mapped to the domain.
To log in using an alternative identity provider, users must either:
Initiate the MongoDB Cloud login through the desired IdP, or
Log in using the Login URL associated with the desired IdP.
If you selected a default organization role, new users who log in to Cloud Manager using the Login URL have the role you specified.