Navigation
This version of the documentation is archived and no longer supported. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.
  • Security >
  • Configure Ops Manager Users for SAML Authentication

Configure Ops Manager Users for SAML Authentication

You can use an Identity Provider (IdP) that runs the Security Assertion Markup Language (SAML) service to manage Ops Manager user authentication and authorization. When you try to navigate to Ops Manager without an authenticated session, Ops Manager sends you to the IdP where you log in. After you authenticate, you return to the Ops Manager Application.

This tutorial describes how to:

Considerations

Users Remain Authenticated after SAML Activation

Once you change your Ops Manager instance to use SAML authentication, all users remain logged in to the current session. After the authentication change, users who try to log into Ops Manager are redirected to the SAML IdP.

Two-Stage Configuration

Some circular logic applies when setting up a SAML instance. To create a working integration:

  • The IdP needs values from the Service Provider and
  • The Service Provider needs values from the IdP.

To start this integration, follow the Prerequisites, then the Procedure in this tutorial.

Prerequisites

To configure SAML integration, you must perform the following actions for your SAML IdP:

  1. Install your SAML IdP.

  2. Verify that your Ops Manager instance can access your IdP over the network.

  3. In the SAML IdP, you must:

    1. Create a SAML user that maps to your Ops Manager Global Owner.

    2. Create a SAML group that you can map to your Ops Manager Global Owner.

    3. Assign the Global Owner SAML group to your SAML user.

    4. Create a new application for Ops Manager representing Ops Manager.

    5. Configure initial Ops Manager SAML values for this new application:

      1. Set placeholder values for the following fields:

        • SP Entity ID or Issuer
        • Audience URI
        • Assertion Consumer Service (ACS) URL
      2. Set real values for the following fields in your IdP:

        Field Common Value
        Signature Algorithm

        Your IdP might have one or more of the following values:

        • rsa-sha1
        • dsa-sha1
        • rsa-sha256
        • rsa-sha384
        • rsa-sha512
        Name ID Email Address
        Name ID Format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
      3. Create attributes with Attribute Names for the following Attribute Values:

        • Email Address
        • First Name
        • Last Name
        • User Groups
      4. Configure your IdP to require signed SAML Responses and Assertions.

      5. Save these values.

Procedure

To configure SAML authentication:

1

Login to your IdP.

2

Copy SAML IdP values.

From your IdP, click on the Ops Manager application:

  1. Find the Ops Manager metadata values.
  2. Copy the following values to a temporary file:
    • SAML Login URL
    • SAML Logout URL
    • X.509 Certificate (for the IdP)
    • IdP Entity ID or Issuer
    • Signature Algorithm
3
4

Set the User Authentication option to SAML.

5

Set the required SAML IdP setting values in Ops Manager.

Type the values from the IdP for the following SAML fields:

Field Necessity Action Default
Identity Provider URI Required

Type the URI for your IdP you use to coordinate your Single Sign-On.

This URI is the IdP Entity ID or Issuer from the SAML IdP.

This URI must be the same as the Issuer URI in the SAML response.

None
SSO Endpoint URL Required

Type the Single-Sign On URL for your IdP.

This URL is the SAML Login URL from your IdP.

None
SLO Endpoint URL Optional

Type the SAML IdP URL to be called if you want the Ops Manager user to log out of their IdP when the Ops Manager user logs out of Ops Manager.

This is the SAML Logout URL from your IdP.

None
Identity Provider X509 Certificate Required

Paste your IdP’s X.509 Certificate in this field. The IdP provides the certificate in PEM format. Make sure you include the entire certificate content including and starting with —–BEGIN CERTIFICATE—– and including and ending with —–END CERTIFICATE—–. Ops Manager uses this certificate to verify itself with the IdP.

This is the X.509 Certificate from your IdP.

This must be the same X.509 Certificate that you use to sign SAML Responses and Assertions.

None
Identity Provider Signature Algorithm Required

Select the algorithm used to encrypt the signature sent to and from the IdP. The accepted values are:

  • rsa-sha1
  • dsa-sha1
  • rsa-sha256
  • rsa-sha384
  • rsa-sha512

This is the Signature Algorithm from your IdP.

None
Require Encrypted Assertions Optional Select whether or not your IdP encrypts the assertions it sends to Ops Manager. false
Global Role Owner Group Required

Type the name of the group in the SAML Group Member Attribute that has full privileges over this deployment, including full access to all groups and all administrative permissions. This group has the Global Owner role for this Ops Manager instance.

You added this group to your IdP settings as part of your prerequisites.

None
SAML Attribute For User First Name Required Type the name of the SAML Attribute that contains User’s First Name None
SAML Attribute For User Last Name Required Type the name of the SAML Attribute that contains User’s Last Name None
SAML Attribute For User Email Required Type the name of the SAML Attribute that contains User’s Email Address. None
SAML Group Member Attribute Required Type the name of the SAML Attribute that contains the list of groups Ops Manager uses to map roles to Projects and Organizations. groups
6

Add any needed optional SAML IdP settings to Ops Manager.

Type the values from the IdP for the following SAML fields:

Field Necessity Action Default
Path to SP Certificate PEM Key File Optional

Type the absolute file path to the PEM-formatted certificate that the Service Provider uses to sign requests. This certificate includes the private and public key.

If this field is left blank:

  • Ops Manager doesn’t sign SAML authentication requests to the IdP.
  • You can’t encrypt SAML assertions.
None
Password For SP Certificate PEM Key File Conditional If you encrypted the private key in your SP PEM file, type its password in this field. None
Global Automation Admin Role Optional Type the name of the group whose members have the Global Automation Admin role. None
Global Backup Admin Role Optional Type the name of the group whose members have the Global Backup Admin role. None
Global Monitoring Admin Role Optional Type the name of the group whose members have the Global Monitoring Admin role. None
Global User Admin Role Optional Type the name of the group whose members have the Global User Admin role. None
Global Read Only Role Optional Type the name of the group whose members have the Global Read Only role. None
7

Click Save.

8

Log in as a global owner.

Log in to Ops Manager as a user that is part of the SAML group specified in the Ops Manager SAML Global Role Owner field.

Upon successful login, Ops Manager displays your projects page.

9

Associate SAML groups with project roles.

To associate SAML groups with roles in a new project:

Note

You must have any global role to create a new project.

  1. Click Admin > General > Projects.

  2. Click Create a New Project.

  3. In Project Name, type a name for the new Ops Manager project.

  4. Enter the SAML groups that correspond to each project role.

    Important

    You must use the fully qualified distinguished name for each group. If multiple LDAP or SAML groups correspond to the same role, separate them with two semicolons (;;). Remove a group from a role’s field to revoke the group’s access for that role.

  5. Click Add Project.

To update the association of SAML groups with roles in an existing project:

  1. Click Admin > General > Projects.

  2. In the Actions column for a project, click ellipsis icon , then click Edit SAML Settings.

  3. Enter the SAML groups that correspond to each project role.

    Important

    You must use the fully qualified distinguished name for each group. If multiple LDAP or SAML groups correspond to the same role, separate them with two semicolons (;;). Remove a group from a role’s field to revoke the group’s access for that role.

  4. Click Save Changes.

10

Optional: Associate LDAP groups with organization roles.

To associate SAML groups with roles for a new organization:

Note

You must have any global role to create a new organization.

  1. Click Admin > General > Organizations.

  2. Click Create a New Organization.

  3. In Organization Name, type a name for the new Ops Manager organization.

  4. Enter the SAML groups that correspond to each organization role.

    Important

    You must use the fully qualified distinguished name for each group. If multiple LDAP or SAML groups correspond to the same role, separate them with two semicolons (;;). Remove a group from a role’s field to revoke the group’s access for that role.

  5. Click Add Organization.

To update the association of SAML groups with roles for an existing organization:

  1. Click Admin > General > Organizations.

  2. Click the Edit Org button.

  3. Enter the SAML groups that correspond to each organization role.

    Important

    You must use the fully qualified distinguished name for each group. If multiple LDAP or SAML groups correspond to the same role, separate them with two semicolons (;;). Remove a group from a role’s field to revoke the group’s access for that role.

  4. Click Save Changes.

11

Add your MongoDB deployments.

Specify the SAML authentication settings when adding a MongoDB deployment.

12

Export your Ops Manager Metadata.

After you save the SAML configuration, a link to Download the Metadata XML File appears.

Click this link to download the SAML SP metadata XML file.

This metadata file should look similar to this example:

1
2
3
4
5
6
7
8
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2019-09-13T20:36:00Z" cacheDuration="PT604800S" entityID="http://ec2-3-88-178-252.compute-1.amazonaws.com:8080" ID="ONELOGIN_f95ad815-e8da-4ab3-a799-3c581484cd6a">
  <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://ec2-3-88-178-252.compute-1.amazonaws.com:8080/saml/logout"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://ec2-3-88-178-252.compute-1.amazonaws.com:8080/saml/assert" index="1"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>
13

Import the SAML SP Metadata into your IdP.

If your IdP offers the option, import your metadata into the IdP. Ops Manager serves as the Service Provider (SP) for your IdP.

Provide the following values in the metadata XML file to IdP:

Field Common Value
SP Entity ID or Issuer <OpsManagerHost>:<Port>
Audience URI <OpsManagerHost>:<Port>
Assertion Consumer Service (ACS) URL <OpsManagerHost>:<Port>/saml/assert
Single Logout URL <OpsManagerHost>:<Port>/saml/logout

If one or more of these values are missing, use the guidelines listed in the previous table to set those values.

Save these values in your IdP.

14

Test the SAML integration between Ops Manager and your IdP.

  1. In a private browser window, go to your Ops Manager instance.

    You are redirected to your IdP.

  2. Authenicate with your IdP.

    You are then redirected to your Ops Manager instance.