Configure MongoDB Atlas UI to use Teleport's SAML IDP

[oshati]

Generally, the approach is to follow Teleport as a SAML identity provider.

Pre-requisite
You must verify ownership of the domain that you register with your IdP in Atlas.

Step 1: Configure the Atlas UI to recognize Teleport's SAML IdP

To achieve this, obtain the Teleport saml-idp certificate authority and values required by following Step 2/3 - Configure the service provider to recognize Teleport's SAML IdP

• On Atlas admin console, configure the connection settings for Teleport identity provider by following the guide to set up Workforce Identity Federation

• Copy in the Teleport SAML IdP Issuer URI, SSO URL and X.509 certificate. (Alternatively, you can upload the certs)

Step 2: Add Atlas UI as a service provider to Teleport

On the next page from Step 1 above, you'll be presented with the below page which contains values required to configure the service provider metadata in Teleport.

• Complete this step by adding the Atlas Service provider metadata to Teleport, by following the guide Step 1/3 - Add the Service Provider metadata to Teleport

Take note of the REQUIRED user information from the Teleport IDP and the attribute name format that Atlas expects.

• Click Finish button, the Atlas console app is now added to Teleport.

Step 3: Associate a Domain and Activate IDP

In order to complete the identity provider setup on Atlas, at least a domain has to be associated with the identity provider before it can be activated.

Associate a Domain

• In your Workforce Identity Provider page, click Associate Domains.
• In the Associate Domains with Identity Provider modal, select one or more domains.
• Click Submit.

Activate IDP

• Once completed navigate to the upper right of the Identity provider page and Select on the manage drop down
• Click Activate Identity provider

Step 4: Verify Atlas UI console access via Teleport works
To verify everything works, navigate to Resources page in Teleport Web UI. The Atlas console app will now appear under resources tile. Inside this tile, click Login button, which will now forward you to Atlas console.

User Information Requirements

• The NameID must be formatted as an email address and will be used as both the username and primary email.
• The SAML response must include the following attributes: firstName,lastName

Alternatively, if you wish to create thesaml_idp_service_provider resource with tctl create or via API, you may refer to the working example below:

More information on SAML Attribute Mapping

kind: saml_idp_service_provider
metadata:
  name: atlas
  revision: 8e386b4b-87e0-4f1c-ad6f-4fb1919d8b38
spec:
  acs_url: https://auth.mongodb.com/sso/saml2/xxxxx
  attribute_mapping:
  - name: firstName
    name_format: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
    value: user.spec.traits.firstname
  - name: lastName
    name_format: urn:oasis:names:tc:SAML:2.0:attrname-format:uri
    value: user.spec.traits.lastname
  - name: memberOf
    name_format: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
    value: user.spec.roles
  entity_descriptor: |2-
     <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2024-07-30T00:20:40.763Z" entityID="https://www.okta.com/saml2/service-provider/xxxxxx">
         <SPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2024-07-30T00:20:40.762507517Z" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false" WantAssertionsSigned="true">
             <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
             <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://auth.mongodb.com/sso/saml2/xxxxxxx" index="1"></AssertionConsumerService>
         </SPSSODescriptor>
         <SPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" protocolSupportEnumeration="">
             <AttributeConsumingService index="0">
                 <ServiceName xml:lang="">teleport_saml_idp_service</ServiceName>
                 <RequestedAttribute FriendlyName="firstName" Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                     <AttributeValue xmlns:_XMLSchema-instance="http://www.w3.org/2001/XMLSchema-instance" _XMLSchema-instance:type="">user.spec.traits.firstname</AttributeValue>
                 </RequestedAttribute>
                 <RequestedAttribute FriendlyName="lastName" Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                     <AttributeValue xmlns:_XMLSchema-instance="http://www.w3.org/2001/XMLSchema-instance" _XMLSchema-instance:type="">user.spec.traits.lastname</AttributeValue>
                 </RequestedAttribute>
                 <RequestedAttribute FriendlyName="memberOf" Name="memberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                     <AttributeValue xmlns:_XMLSchema-instance="http://www.w3.org/2001/XMLSchema-instance" _XMLSchema-instance:type="">user.spec.roles</AttributeValue>
                 </RequestedAttribute>
             </AttributeConsumingService>
         </SPSSODescriptor>
     </EntityDescriptor>
  entity_id: https://www.okta.com/saml2/service-provider/xxxx
  preset: unspecified
  relay_state: ""
version: v1