Docs Menu

Docs HomeMongoDB Ops Manager

Configure Ops Manager Users for SAML Authentication

On this page

  • Considerations
  • Prerequisites
  • Procedure

You can use an Identity Provider (IdP) that runs the Security Assertion Markup Language (SAML) service to manage Ops Manager user authentication and authorization. When you try to navigate to Ops Manager without an authenticated session, Ops Manager sends you to the IdP where you log in. After you authenticate, you return to the Ops Manager Application.

This tutorial describes how to:

Once you change your Ops Manager instance to use SAML authentication, all users remain logged in to the current session. After the authentication change, users who try to log into Ops Manager are redirected to the SAML IdP.

Some circular logic applies when setting up a SAML instance. To create a working integration:

  • The IdP needs values from the Service Provider and

  • The Service Provider needs values from the IdP.

To start this integration, follow the Prerequisites, then the Procedure in this tutorial.

To configure SAML integration, you must perform the following actions for your SAML IdP:

  1. Install your SAML IdP.

  2. Verify that your Ops Manager instance can access your IdP over the network.

  3. In the SAML IdP, you must:

    1. Create a SAML user that maps to your Ops Manager Global Owner.

    2. Create a SAML group that you can map to your Ops Manager Global Owner.

    3. Assign the Global Owner SAML group to your SAML user.

    4. Create a new application for Ops Manager representing Ops Manager.

    5. Configure initial Ops Manager SAML values for this new application:

      1. Set placeholder values for the following fields:

        • SP Entity ID or Issuer

        • Audience URI

        • Assertion Consumer Service (ACS) URL

      2. Set real values for the following fields in your IdP:

        Field
        Common Value
        Signature Algorithm

        Your IdP might have one or more of the following values:

        • rsa-sha1

        • dsa-sha1

        • rsa-sha256

        • rsa-sha384

        • rsa-sha512

        Name ID
        Email Address
        Name ID Format
        urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
      3. Create attributes with Attribute Names for the following Attribute Values:

        • Email Address

        • First Name

        • Last Name

        • User Groups

      4. Configure your IdP to require signed SAML Responses and Assertions.

      5. Save these values.

To configure SAML authentication:

1
2

From your IdP, click on the Ops Manager application:

  1. Find the Ops Manager metadata values.

  2. Copy the following values to a temporary file:

    • SAML Login URL

    • SAML Logout URL

    • X.509 Certificate (for the IdP)

    • IdP Entity ID or Issuer

    • Signature Algorithm

3

Open the Ops Manager Application and navigate to: Admin General Ops Manager Config User Authentication.

4
5

Type the values from the IdP for the following SAML fields:

Field
Necessity
Action
Default
Identity Provider URI
Required

Type the URI for your IdP you use to coordinate your Single Sign-On.

This URI is the IdP Entity ID or Issuer from the SAML IdP.

This URI must be the same as the Issuer URI in the SAML response.

None
SSO Endpoint URL
Required

Type the Single-Sign On URL for your IdP.

This URL is the SAML Login URL from your IdP.

None
SLO Endpoint URL
Optional

Type the SAML IdP URL to be called if you want the Ops Manager user to log out of their IdP when the Ops Manager user logs out of Ops Manager.

This is the SAML Logout URL from your IdP.

None
Identity Provider X509 Certificate
Required

Paste your IdP's X.509 Certificate in this field. The IdP provides the certificate in PEM format. Make sure you include the entire certificate content including and starting with -----BEGIN CERTIFICATE----- and including and ending with -----END CERTIFICATE-----. Ops Manager uses this certificate to verify itself with the IdP.

This is the X.509 Certificate from your IdP.

This must be the same X.509 Certificate that you use to sign SAML Responses and Assertions.

None
Identity Provider Signature Algorithm
Required

Select the algorithm used to encrypt the signature sent to and from the IdP. The accepted values are:

  • rsa-sha1

  • dsa-sha1

  • rsa-sha256

  • rsa-sha384

  • rsa-sha512

This is the Signature Algorithm from your IdP.

None
Require Encrypted Assertions
Optional
Select whether or not your IdP encrypts the assertions it sends to Ops Manager.
false
Global Role Owner Group
Required

Type the name of the group in the SAML Group Member Attribute that has full privileges over this deployment, including full access to all groups and all administrative permissions. This group has the Global Owner role for this Ops Manager instance.

You added this group to your IdP settings as part of your prerequisites.

This value must match the group member attribute value sent in the SAML response. If you use Azure AD as your IdP, enter the group's Object ID in this field instead of the group's name.

None
SAML Attribute For User First Name
Required
Type the name of the SAML Attribute that contains User's First Name
None
SAML Attribute For User Last Name
Required
Type the name of the SAML Attribute that contains User's Last Name
None
SAML Attribute For User Email
Required
Type the name of the SAML Attribute that contains User's Email Address.
None
SAML Group Member Attribute
Required
Type the name of the SAML Attribute that contains the list of groups Ops Manager uses to map roles to Projects and Organizations.
groups
6

Type the values from the IdP for the following SAML fields:

Field
Necessity
Action
Default
Path to SP Certificate PEM Key File
Optional

Type the absolute file path to the PEM-formatted certificate that the Service Provider uses to sign requests. This certificate includes the private and public key.

If this field is left blank:

  • Ops Manager doesn't sign SAML authentication requests to the IdP.

  • You can't encrypt SAML assertions.

None
Password For SP Certificate PEM Key File
Conditional
If you encrypted the private key in your SP PEM file, type its password in this field.
None
Global Automation Admin Role
Optional

Type the name of the group whose members have the Global Automation Admin role.

This value must match the group member attribute value sent in the SAML response. If you use Azure AD as your IdP, enter the group's Object ID in this field instead of the group's name.

None
Global Backup Admin Role
Optional

Type the name of the group whose members have the Global Backup Admin role.

This value must match the group member attribute value sent in the SAML response. If you use Azure AD as your IdP, enter the group's Object ID in this field instead of the group's name.

None
Global Monitoring Admin Role
Optional

Type the name of the group whose members have the Global Monitoring Admin role.

This value must match the group member attribute value sent in the SAML response. If you use Azure AD as your IdP, enter the group's Object ID in this field instead of the group's name.

None
Global User Admin Role
Optional

Type the name of the group whose members have the Global User Admin role.

This value must match the group member attribute value sent in the SAML response. If you use Azure AD as your IdP, enter the group's Object ID in this field instead of the group's name.

None
Global Read Only Role
Optional

Type the name of the group whose members have the Global Read Only role.

This value must match the group member attribute value sent in the SAML response. If you use Azure AD as your IdP, enter the group's Object ID in this field instead of the group's name.

None
7
8

Log in to Ops Manager as a user that is part of the SAML group specified in the Ops Manager SAML Global Role Owner field.

Upon successful login, Ops Manager displays your projects page.

9

Note

You must have any global role to create a new project.

  1. Click Admin > General > Projects.

  2. Click Create a New Project.

  3. In Project Name, type a name for the new Ops Manager project.

  4. Enter the SAML groups that correspond to each project role.

    Important

    You must use the fully qualified distinguished name for each group. If multiple LDAP or SAML groups correspond to the same role, separate them with two semicolons (;;). Remove a group from a role's field to revoke the group's access for that role.

  5. Click Add Project.

  1. Click Admin > General > Projects.

  2. In the Actions column for a project, click , then click Edit SAML Settings.

  3. Enter the SAML groups that correspond to each project role.

    Important

    You must use the fully qualified distinguished name for each group. If multiple LDAP or SAML groups correspond to the same role, separate them with two semicolons (;;). Remove a group from a role's field to revoke the group's access for that role.

  4. Click Save Changes.

10

Note

You must have any global role to create a new organization.

  1. Click Admin > General > Organizations.

  2. Click Create a New Organization.

  3. In Organization Name, type a name for the new Ops Manager organization.

  4. Enter the SAML groups that correspond to each organization role.

    Important

    You must use the fully qualified distinguished name for each group. If multiple LDAP or SAML groups correspond to the same role, separate them with two semicolons (;;). Remove a group from a role's field to revoke the group's access for that role.

  5. Click Add Organization.

  1. Click Admin > General > Organizations.

  2. Click the Edit Org button.

  3. Enter the SAML groups that correspond to each organization role.

    Important

    You must use the fully qualified distinguished name for each group. If multiple LDAP or SAML groups correspond to the same role, separate them with two semicolons (;;). Remove a group from a role's field to revoke the group's access for that role.

  4. Click Save Changes.

11

Specify the SAML authentication settings when adding a MongoDB deployment.

12

After you save the SAML configuration, a link to Download the Metadata XML File appears.

Click this link to download the SAML SP metadata XML file.

This metadata file should look similar to this example:

1<?xml version="1.0"?>
2<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2019-09-13T20:36:00Z" cacheDuration="PT604800S" entityID="http://ec2-3-88-178-252.compute-1.amazonaws.com:8080" ID="ONELOGIN_f95ad815-e8da-4ab3-a799-3c581484cd6a">
3 <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
4 <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://ec2-3-88-178-252.compute-1.amazonaws.com:8080/saml/logout"/>
5 <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
6 <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://ec2-3-88-178-252.compute-1.amazonaws.com:8080/saml/assert" index="1"/>
7 </md:SPSSODescriptor>
8</md:EntityDescriptor>
13

If your IdP offers the option, import your metadata into the IdP. Ops Manager serves as the Service Provider (SP) for your IdP.

Provide the following values in the metadata XML file to IdP:

Field
Common Value
SP Entity ID or Issuer
<OpsManagerHost>:<Port>
Audience URI
<OpsManagerHost>:<Port>
Assertion Consumer Service (ACS) URL
<OpsManagerHost>:<Port>/saml/assert
Single Logout URL
<OpsManagerHost>:<Port>/saml/logout

If one or more of these values are missing, use the guidelines listed in the previous table to set those values.

Save these values in your IdP.

14
  1. In a private browser window, go to your Ops Manager instance.

    You are redirected to your IdP.

  2. Authenicate with your IdP.

    You are then redirected to your Ops Manager instance.

←  Configure Ops Manager Users for LDAP Authentication and AuthorizationEnable Authentication for an Ops Manager Project →