Docs Menu
Docs Home
/
MongoDB Atlas
/ / /

Configure Federated Authentication from Microsoft Entra ID

On this page

  • Limitations
  • Required Access
  • Prerequisites
  • Procedures
  • Add Domain users
  • Configure Microsoft Entra ID as an Identity Provider
  • Add Microsoft Entra ID as an Identity Provider in Atlas
  • (Optional) Map an Organization
  • (Optional) Configure Advanced Federated Authentication Options
  • Sign in to Atlas Using Your Login URL

This guide shows you how to configure federated authentication using Microsoft Entra ID as your IdP.

After integrating Microsoft Entra ID and Atlas, you can use your company's credentials to log in to Atlas and other MongoDB cloud services.

Atlas doesn't support single sign-on integration for database users. To configure Atlas to authenticate and authorize database users from Microsoft Entra ID using LDAP, see Configure User Authentication and Authorization with Microsoft Entra ID Domain Services.

To manage federated authentication, you must have Organization Owner access to one or more organizations that are delegating federation settings to the instance.

To use Microsoft Entra ID as an IdP for Atlas, you must have:

  • An Azure subscription. To obtain a subscription, visit the Microsoft Azure portal.

  • An Microsoft Entra ID tenant associated with your subscription. For information about setting up an Microsoft Entra ID tenant, see the Microsoft Entra ID Documentation.

  • Global Administrator privileges in your Microsoft Entra ID tenant.

  • A custom, routable domain name.

If you haven't already, use the Azure console to add your custom domain name to Microsoft Entra ID and create users:

1

Add your custom domain name to Microsoft Entra ID to create users that belong to your domain. After you add your domain, you must also add the Microsoft Entra ID DNS information in a TXT record with your DNS provider and verify the configuration.

To add your custom domain to Microsoft Entra ID, see the Azure documentation.

2

If they don't exist already, create users in Microsoft Entra ID that you want to grant access to. Users must belong to the custom domain you added to Microsoft Entra ID.

To create Microsoft Entra ID users, see the Azure documentation.

Use the Azure console to configure Microsoft Entra ID as a SAML IdP. You can either add the MongoDB Cloud app from the Gallery or configure an application manually.

1

To add the MongoDB Cloud app to your Microsoft Entra ID tenant, see the Azure documentation.

Tip

See also:

2

Assign users to the application. These users will have access to Atlas and other MongoDB cloud services when you complete the tutorial.

To assign Microsoft Entra ID users to an application, see the Azure documentation.

3

To navigate to the SAML configuration page, see the Azure documentation.

4

To generate a valid SAML signing certificate, you must assign temporary values to the Identifier and Reply URL for your Microsoft Entra ID enterprise application. If you download the certificate before setting these values, the downloaded certificate won't be unique and you must download the certificate again after setting these values.

To set the temporary values:

  1. Click Edit in Section 1.

  2. Remove any existing default values and set the following temporary values:

    Setting
    Temporary Value
    Identifier (Entity ID)
    https://www.okta.com/saml2/service-provider/MongoDBCloud
    Reply URL (Assertion Consumer Service URL).
    https://auth.mongodb.com/sso/saml2/
  3. Click Save.

  4. Refresh the browser page to ensure that the certificate is regenerated.

    The certificate's thumbprint and expiration date change from the values they held after the temporary Identifier and Reply URL are updated for the first time.

5

In the SAML Signing Certificate section, click Download next to Certificate (Base64).

You upload this signing certificate to the MongoDB Federation Management Console later in the tutorial.

6

Skip this step if you won't use role mapping.

To use role mapping, add the following group claim to the SAML token Microsoft Entra ID sends to Atlas:

  1. Click Add a group claim. Azure displays the Group Claims panel.

  2. In Which groups associated with the user should be returned in the claim?, click Security groups.

    What groups you select depend on the type of groups you configured in your Azure environment. You may need to select a different type of group to send the appropriate group information.

  3. From the Source attribute dropdown menu, click Group Id.

    If you select Group Id, Azure sends the security group's Object ID and not the human-readable group name. Depending on your Azure environment, you may have the option to select a different source attribute which sends the group name instead.

    When creating role mappings in Atlas, match the Azure group data sent in the SAML response to the configured Atlas role mapping name exactly.

  4. Click Customize the name of the group claim in the Advanced options section.

  5. Set Name to memberOf.

  6. Leave Namespace blank.

  7. Clear Emit groups as role claims.

  8. Click Save.

7

Paste these values into a text editor or another easily accessible location.

You enter these values in the MongoDB Federation Management Console later in the tutorial.

1

Give the application a descriptive name, like MongoDB-Atlas.

To add a non-gallery application to Microsoft Entra ID, see the Azure documentation.

2

Assign users to the application. These users will have access to Atlas and other MongoDB cloud services when you complete the tutorial.

To assign Microsoft Entra ID users to an application, see the Azure documentation.

3

To navigate to the SAML configuration page, see the Azure documentation.

4

To generate a valid SAML signing certificate, you must assign temporary values to the Identifier and Reply URL for your Microsoft Entra ID enterprise application. If you download the certificate before setting these values, the downloaded certificate won't be unique and you must download the certificate again after setting these values.

To set the temporary values:

  1. Click Edit in Section 1.

  2. Remove any existing default values and set the following temporary values:

    Setting
    Temporary Value
    Identifier (Entity ID)
    https://www.okta.com/saml2/service-provider/MongoDBCloud
    Reply URL (Assertion Consumer Service URL).
    https://auth.mongodb.com/sso/saml2/
  3. Click Save.

  4. Refresh the browser page to ensure that the certificate is regenerated.

    The certificate's thumbprint and expiration date change from the values they held after the temporary Identifier and Reply URL are updated for the first time.

5

To simplify the SAML configuration, you can delete the default Additional claims:

  1. In the User Attributes & Claims section, click the Edit icon.

  2. For each claim in the Additional claims section, expand the Context menu, then click Delete.

6

Use the following values:

  • Choose name identifier format: Unspecified

  • Source: Attribute

  • Source attribute: user.userprincipalname

    Important

    Selecting Source attribute

    Depending on your Active Directory configuration, the source attribute that contains a user's full email address may not be user.userprincipalname. Use the source attribute that contains the email address that matches the usernames of existing Atlas users within your federated domain, such as user.mail.

    For existing Atlas users in your federated domain, select the source attribute that contains the current Atlas usernames of those users.

To edit the Unique User Identifier required claim, see the Azure documentation.

7

Add the following user claims to the SAML token Microsoft Entra ID sends to Atlas:

Important

The values in the Name column are case-sensitive. Enter them exactly as shown.

You must leave the Namespace field empty for all user claims.

Name
Source
Source Attribute
firstName
Attribute
user.givenname
lastName
Attribute
user.surname

Note

Depending on your Active Directory configuration, the source attributes you use may be different. Use the source attributes that contain a user's first name and last name for the appropriate claims.

To add user claims, see the Azure documentation.

8

Skip this step if you won't use role mapping.

To use role mapping, add the following group claim to the SAML token Microsoft Entra ID sends to Atlas:

  1. Click Add a group claim. Azure displays the Group Claims panel.

  2. In Which groups associated with the user should be returned in the claim?, click Security groups.

    What groups you select depend on the type of groups you configured in your Azure environment. You may need to select a different type of group to send the appropriate group information.

  3. From the Source attribute dropdown menu, click Group Id.

    If you select Group Id, Azure sends the security group's Object ID and not the human-readable group name. Depending on your Azure environment, you may have the option to select a different source attribute which sends the group name instead.

    When creating role mappings in Atlas, match the Azure group data sent in the SAML response to the configured Atlas role mapping name exactly.

  4. Click Customize the name of the group claim in the Advanced options section.

  5. Set Name to memberOf.

  6. Leave Namespace blank.

  7. Clear Emit groups as role claims.

  8. Click Save.

9

To verify that the SAML signing certificate uses the SHA-256 signing algorithm, see the Azure documentation.

10

In the SAML Signing Certificate section, click Download next to Certificate (Base64).

You upload this signing certificate to the MongoDB Federation Management Console later in the tutorial.

11

Paste these values into a text editor or another easily accessible location.

You enter these values in the MongoDB Federation Management Console later in the tutorial.

Use the Federation Management Console and the Azure console to add Microsoft Entra ID as an IdP:

1
  1. If it's not already displayed, select your desired organization from the Organizations menu in the navigation bar.

  2. Click the Organization Settings icon next to the Organizations menu.

    The Organization Settings page displays.

2

In Manage Federation Settings, click Open Federation Management App.

3
  1. Click Configure Identity Providers.

  2. If you do not have any Identity Providers configured yet, click Setup Identity Provider. Otherwise, on the Identity Providers screen, click Add Identity Provider.

  3. Enter or select the following SAML Protocol Settings. All fields are required:

    Field
    Description
    Configuration Name
    Descriptive name, such as Microsoft Entra ID.
    IdP Issuer URI
    Microsoft Entra ID Identifier you copied from Azure earlier in the tutorial.
    IdP Single Sign-On URL
    Login URL that you copied from Azure earlier in the tutorial.
    IdP Signature Certificate

    Base64-encoded SAML signing certificate you downloaded from Azure earlier in the tutorial.

    You can either:

    • Upload the certificate from your computer, or

    • Paste the contents of the certificate into a text box.

    Request Binding
    HTTP POST.
    Response Signature Algorithm
    SHA-256.
  4. Click Next.

4
  1. Click Download metadata. You upload this file to Microsoft Entra ID in the next step.

  2. Click Finish.

5

To upload the file, see the screenshot in step 3 of Enable single sign-on for an app in the Azure documentation. Click Upload metadata file on the SSO configuration page, as shown in the screenshot in the linked Azure documentation.

Optionally, add a RelayState URL to your IdP to send users to a URL you choose and avoid unnecessary redirects after login. You can use:

Destination
RelayState URL
MongoDB Atlas
Login URL generated for your identity provider configuration in the Atlas Federation Management App.
MongoDB Support Portal
https://auth.mongodb.com/app/salesforce/exk1rw00vux0h1iFz297/sso/saml
MongoDB University
https://auth.mongodb.com/home/mongodb_thoughtindustriesstaging_1/0oadne22vtcdV5riC297/alndnea8d6SkOGXbS297
MongoDB Community Forums
https://auth.mongodb.com/home/mongodbexternal_communityforums_3/0oa3bqf5mlIQvkbmF297/aln3bqgadajdHoymn297
MongoDB Feedback Engine
https://auth.mongodb.com/home/mongodbexternal_uservoice_1/0oa27cs0zouYPwgj0297/aln27cvudlhBT7grX297
MongoDB JIRA
https://auth.mongodb.com/app/mongodbexternal_mongodbjira_1/exk1s832qkFO3Rqox297/sso/saml

Mapping your domain to the IdP lets Atlas know that users from your domain should be directed to the Login URL for your identity provider configuration.

When users visit the Atlas login page, they enter their email address. If the email domain is associated with an IdP, they are sent to the Login URL for that IdP.

Important

You can map a single domain to multiple identity providers. If you do, users who log in using the MongoDB Cloud console are automatically redirected to the first matching IdP mapped to the domain.

To log in using an alternative identity provider, users must either:

  • Initiate the MongoDB Cloud login through the desired IdP, or

  • Log in using the Login URL associated with the desired IdP.

Use the Federation Management Console to map your domain to the IdP:

1

Open the FMC.

  1. In Atlas, go to the Organization Settings page.

    1. If it's not already displayed, select your desired organization from the Organizations menu in the navigation bar.

    2. Click the Organization Settings icon next to the Organizations menu.

      The Organization Settings page displays.

  2. In Manage Federation Settings, click Open Federation Management App.

2

Enter domain mapping information.

  1. Click Add a Domain.

  2. On the Domains screen, click Add Domain.

  3. Enter the following information for your domain mapping:

    Field
    Description
    Display Name
    Label to easily identify the domain.
    Domain Name
    Domain name to map.
  4. Click Next.

3

Choose your domain verification method.

Note

You can choose the verification method once. It cannot be modified. To select a different verification method, delete and recreate the domain mapping.

Select the appropriate tab based on whether you are verifying your domain by uploading an HTML file or creating a DNS TXT record:

Upload an HTML file containing a verification key to verify that you own your domain.

  1. Click HTML File Upload.

  2. Click Next.

  3. Download the mongodb-site-verification.html file that Atlas provides.

  4. Upload the HTML file to a web site on your domain. You must be able to access the file at <https://host.domain>/mongodb-site-verification.html.

  5. Click Finish.

Create a DNS TXT record with your domain provider to verify that you own your domain. Each DNS record associates a specific Atlas organization with a specific domain.

  1. Click DNS Record.

  2. Click Next.

  3. Copy the provided TXT record. The TXT record has the following form:

    mongodb-site-verification=<32-character string>
  4. Log in to your domain name provider (such as GoDaddy.com or networksolutions.com).

  5. Add the TXT record that Atlas provides to your domain.

  6. Return to Atlas and click Finish.

4

Verify your domain.

The Domains screen displays both unverified and verified domains you've mapped to your IdP. To verify your domain, click the target domain's Verify button. Atlas shows whether the verification succeeded in a banner at the top of the screen.

After successfully verifying your domain, use the Federation Management Console to associate the domain with Microsoft Entra ID:

1

Click Identity Providers in the left navigation.

2

For the IdP you want to associate with your domain, click Edit next to Associated Domains.

3

Select the domain you want to associate with the IdP.

4

Click Confirm.

Important

Before you begin testing, copy and save the Bypass SAML Mode URL for your IdP. Use this URL to bypass federated authentication in the event that you are locked out of your Atlas organization.

While testing, keep your session logged in to the Federation Management Console to further ensure against lockouts.

To learn more about Bypass SAML Mode, see Bypass SAML Mode.

Use the Federation Management Console to test the integration between your domain and Microsoft Entra ID:

1

In a private browser window, navigate to the Atlas log in page.

2

Enter a username (usually an email address) with your verified domain.

Example

If your verified domain is mongodb.com, use an email address of the form username@mongodb.com.

3

Click Next. If you mapped your domain correctly, you'll be redirected to your IdP to authenticate. Upon successful authentication, you'll be redirected back to Atlas.

Note

You can bypass the Atlas log in page by navigating directly to your IdP Login URL.

Use the Federation Management Console to assign your domain's users access to specific Atlas organizations:

1
  1. If it's not already displayed, select your desired organization from the Organizations menu in the navigation bar.

  2. Click the Organization Settings icon next to the Organizations menu.

    The Organization Settings page displays.

2

In Manage Federation Settings, click Open Federation Management App.

3
  1. Click View Organizations.

    Atlas displays all organizations where you are an Organization Owner.

    Organizations which are not already connected to the Federation Application have Connect button in the Actions column.

  2. Click the desired organization's Connect button.

4

From the Organizations screen in the management console:

  1. Click the Name of the organization you want to map to an IdP.

  2. On the Identity Provider screen, click Apply Identity Provider.

    Atlas directs you to the Identity Providers screen which shows all IdPs you have linked to Atlas.

  3. For the IdP you want to apply to the organization, click Add Organizations.

  4. In the Apply Identity Provider to Organizations modal, select the organizations to which this IdP applies.

  5. Click Confirm.

5
  1. Click Organizations in the left navigation.

  2. In the list of Organizations, ensure that your desired organizations now have the expected Identity Provider.

You can configure the following advanced options for federated authentication for greater control over your federated users and authentication flow:

Note

The following advanced options for federated authentication require you to map an organization.

All users you assigned to the Azure application can log in to Atlas using their Microsoft Entra ID credentials on the Login URL. Users have access to the organizations you mapped to your IdP.

Important

You can map a single domain to multiple identity providers. If you do, users who log in using the MongoDB Cloud console are automatically redirected to the first matching IdP mapped to the domain.

To log in using an alternative identity provider, users must either:

  • Initiate the MongoDB Cloud login through the desired IdP, or

  • Log in using the Login URL associated with the desired IdP.

If you selected a default organization role, new users who log in to Atlas using the Login URL have the role you specified.

Back

Roles