Throughout the following procedure, it is helpful to have one browser
tab open to your
Federation Management Console
and one tab open to your Okta account.
Map your Domain¶
Mapping your domain to the
IdP
lets Cloud Manager know that users from your
domain should be directed to the
Login URL
for
your identity provider configuration.
When users visit the Cloud Manager login page, they enter their email address.
If the email domain is associated with an IdP, they are sent to the
Login URL for that IdP.
Important
You can map a single domain to multiple identity providers. If you
do, users who log in using the MongoDB Cloud console are
automatically redirected to the first matching
IdP
mapped to the
domain.
To log in using an alternative identity provider, users must either:
-
Initiate the MongoDB Cloud login through the desired
IdP
, or
-
Log in using the
Login URL
associated with the desired
IdP
.
Use the
Federation Management Console
to map your domain
to the
IdP
:
Open the
Federation Management Console
.¶
-
Log in to Cloud Manager.
-
Use the dropdown at the top-left of Cloud Manager to select the
organization for which you want to manage federation
settings.
-
Click
Settings
in the left navigation pane.
-
In
Manage Federation Settings
, click
Visit Federation Management App
.
Enter domain mapping information.¶
-
Click
Add a Domain
.
-
On the
Domains
screen, click
Add Domain
.
-
Enter the following information for your domain mapping:
Field
|
Description
|
Display Name
|
Name to easily identify the domain.
|
Domain Name
|
Domain name to
map.
|
-
Click
Next
.
Choose how to verify your domain.¶
Note
You can choose the verification method once. It cannot be
modified. To select a different verification method, delete and
recreate the domain mapping.
Select the appropriate tab based on whether you are verifying your
domain by uploading an
HTML
file or creating a
DNS
TXT record:
-
Upload HTML File
-
Create DNS Record
Upload an
HTML
file containing a verification key to verify
that you own your domain.
-
Click
HTML File Upload
.
-
Click
Next
.
-
Download the
mongodb-site-verification.html
file
that Cloud Manager provides.
-
Upload the
HTML
file to a web site on your domain. You
must be able to access the file at
<https://host.domain>/mongodb-site-verification.html
.
-
Click
Finish
.
Create a
DNS
TXT record with your domain provider to verify
that you own your domain. Each
DNS
record associates a
specific Cloud Manager organization with a specific domain.
-
Click
DNS Record
.
-
Click
Next
.
-
Copy the provided TXT record. The TXT record has the
following form:
-
Log in to your domain name provider (such as GoDaddy.com or
networksolutions.com).
-
Add the TXT record that Cloud Manager provides to your domain.
-
Return to Cloud Manager and click
Finish
.
Verify your domain.¶
The
Domains
screen displays both unverified and verified
domains you’ve mapped to your
IdP
. To verify your domain, click the
target domain’s
Verify
button. Cloud Manager shows whether
the verification succeeded in a banner at the top of the screen.
Associate Your Domain with Your Identity Provider¶
After successfully verifying your domain, use the
Federation Management Console
to associate the domain with
Okta:
Click
Identity Providers
in the left navigation.¶
For the
IdP
you want to associate with your domain, click
pencil icon
next to
Associated Domains
.¶
Select the domain you want to associate with the IdP
.
Test Your Domain Mapping¶
Important
Before you begin testing, copy and save the
Bypass SAML Mode
URL
for your
IdP
. Use this
URL to bypass federated authentication in the event that you are
locked out of your Cloud Manager organization.
While testing, keep your session logged in to the
Federation Management Console
to further ensure against
lockouts.
To learn more about
Bypass SAML Mode
, see
Bypass SAML Mode
.
Use the
Federation Management Console
to test the
integration between your domain and Okta:
In a private browser window, navigate to the Cloud Manager log in page.¶
Enter a username (usually an email address) with your verified domain.¶
Example
If your verified domain is
mongodb.com
, enter
alice@mongodb.com
.
Click
Next
.¶
If you mapped your domain correctly, you’re redirected to your
IdP
to
authenticate. If authenticating with your
IdP
succeeds, you’re
redirected back to Cloud Manager.
Note
You can bypass the Cloud Manager log in page by navigating directly to
your
IdP
’s
Login URL
. The
Login URL
takes you directly to your
IdP
to authenticate.