Enabling Federated Identity for MongoDB Atlas Access

Question

Pulumi · Accepted Answer

Federated identity management allows users to access multiple systems with one set of credentials, improving security and simplifying the authentication process. MongoDB Atlas, the Database as a Service (DBaaS) from MongoDB, also provides a way to enable federated identity access, which can be managed through Pulumi, an Infrastructure as Code tool.

To enable federated identity access to MongoDB Atlas, you need to configure an identity provider (IdP) and then set up MongoDB Atlas to trust the IdP.

In this high-level overview, I will show you how to achieve federated identity access in MongoDB Atlas using Pulumi with an example identity provider configuration. In this case, let's focus on integrating it with AWS IAM Identity Provider, using the AWS SAML provider resource. MongoDB Atlas has its specific Pulumi resources, but setting up MongoDB Atlas to trust an IdP is something you need to do within MongoDB Atlas's settings and is less about deploying resources with Pulumi.

Here's a Pulumi program that showcases the setup of an AWS IAM SAML provider, which is a necessary step to federate identity with MongoDB Atlas:

```python
import pulumi
import pulumi_aws as aws

# Assume that the SAML metadata document has been obtained from your identity provider and saved to a file.
# Replace 'saml_metadata.xml' with the path to your metadata file.
with open('saml_metadata.xml', 'r') as file:
    saml_metadata_document = file.read()

# Create an IAM SAML provider resource.
# This provider will allow federated users to sign in to AWS with their corporate credentials.
iam_saml_provider = aws.iam.SamlProvider("my-saml-provider",
    saml_metadata_document=saml_metadata_document)

# The IAM SAML provider ARN can be used in your AWS Identity and Access Management configurations
# to establish trust relationships between AWS and your identity provider.
pulumi.export('saml_provider_arn', iam_saml_provider.arn)
```

In the above program:

- We assume that you have obtained the SAML metadata document from your federated identity provider and it's available locally as a file.
- A new SAML provider is created in AWS IAM which allows the federated identity access.
- The `pulumi.export` syntax will output the generated ARN of the SAML provider, which you can then use in your MongoDB Atlas configuration.

To complete the integration with MongoDB Atlas, you need to use the generated SAML provider in your MongoDB Atlas settings and configure it to trust this SAML provider as the IdP. This is usually done in the security settings of your MongoDB Atlas organization.

This may involve steps such as:
1. Navigating to your MongoDB Atlas console and going to your organization settings.
2. Locating the "Federated Authentication" section.
3. Importing the SAML Metadata from your IdP, which in the context of this guide, would be the metadata from the AWS SAML provider we've set up with Pulumi.
4. Testing the configuration to ensure users can authenticate with their Federation Identity credentials.

Finally, it's important to state that the actual configuration in MongoDB Atlas to trust an IdP is an application-level concern and is typically orchestrated within the MongoDB Atlas UI or API itself, rather than as a set of infrastructure resources managed by Pulumi.

Please consult MongoDB Atlas documentation regarding federated authentication setup for the specific steps you need to perform within the Atlas UI or API after setting up your identity provider.