You can map your IdP groups to Atlas roles. This streamlines authorization setup. You can grant one IdP group one or more roles to simplify their access to Atlas organizations, projects, and clusters.
Note
You can't edit roles for specific users on the Access Manager page if you configure role mappings for IdP groups.
Role Mapping Process
- Atlas applies the role mappings when you log in. 
- Atlas compares the IdP groups named memberOf to role mappings defined for your organizations. These organizations must use the same IdP that the user did to authenticate. - Atlas applies the mapped roles to federated users if you defined role mappings. 
- Atlas applies the default role if: - You don't have defined role mappings 
- Role mappings would result in a user without any roles 
 
- Organization role mappings define federated users' Atlas access. If a federated user logs in but doesn't belong to an IdP group mapped to a desired organization, Atlas removes the mapped role from the user in that organization and its projects. The federated user may still have other IdP groups. - Example- Consider a scenario where a user belongs to the admin IdP group. You have configured a role mapping of admin to the - Organization Ownerin Organization A. If you remove that user from the admin IdP group, Atlas deletes that users'- Organization Ownerrole when the user next logs in.
- Every organization must have at least one user that has the - Organization Ownerrole. If removing a role removes the last owner from an organization, the removal fails.
 
Required Access
To manage federated authentication, you must have
Organization Owner access to one or more organizations that delegate
federation settings to the instance.
Prerequisites
To complete this tutorial, you must have:
- Created an IdP application. This application must have a SAML attribute named to memberOf. Map this attribute to the IdP source attributes for groups. This attribute links the IdP groups with your Atlas roles. 
- Linked an IdP to Atlas. 
- Mapped an Atlas organizations to your IdP. 
- Created at least one group in your IdP. 
- Add at least one user in your IdP application to a group you created. 
Add Role Mappings in Your Organization and its Projects
In Atlas, go to the Federation Management console for your organization.
- If it's not already displayed, select your desired organization from the Organizations menu in the navigation bar. 
- In the sidebar, click Federation under the Identity & Access heading. 
- Click Open Federation Management App. 
The Federation page displays.
Choose an organization in which you want to map roles.
- Click Manage Organizations. - Atlas displays all organizations where you are an - Organization Ownerin a table.- Organizations connected to federated authentication display in the Actions column. 
- Organizations unconnected to federated authentication display Connect in the Actions column. 
 
- To map roles in an organization: - Click Connect to enable federated authentication for that organization if needed. 
- Click and select View. 
 
Assign Atlas organization roles to the desired IdP group.
At the Map Group and Assign Roles stage:
| Section | Action | 
|---|---|
| Enter Group Name | Type the name of the group as it is displayed in your IdP in this field. Atlas assigns this group to your Atlas role. Note that the name of the group can't exceed 200 characters. If the IdP group doesn't exist, you can't enter a new group name to create a new IdP group. If you use Microsoft Entra ID as your IdP and you selected Group Id as your source attribute, enter the group's Object ID in this field instead of the group's name. To learn more, see Configure Microsoft Entra ID as an Identity Provider. | 
| Assign Organization Roles | Click on each Atlas organization role that you want to assign to the IdP group. | 
- If you don't need to assign any Atlas project roles to this IdP group, click Finish. You can skip the rest of this procedure. 
- If you need to assign Atlas project roles to this IdP group, click Next. 
Assign Atlas project roles to the desired IdP group.
The Assign Project Roles stage displays a table. This table includes project names and the roles you can assign for those projects. For each project, click the project roles that you want to assign to the IdP group.
- If you don't need to review the roles assigned to this IdP group, click Finish. You can skip the rest of this procedure. 
- If you need to review the roles assigned to this IdP group, click Next. 
Verify which Atlas roles have been assigned to the desired IdP group.
The Review and Confirm stage displays the organization and project roles assigned to the IdP group.
- If you agree with the roles assigned to this IdP group, click Finish. 
- If you need to change the roles assigned to this IdP group, click Edit. Atlas returns to the Map Group and Assign Roles stage. 
Edit Role Mappings in Your Organization and its Projects
In Atlas, go to the Federation Management console for your organization.
- If it's not already displayed, select your desired organization from the Organizations menu in the navigation bar. 
- In the sidebar, click Federation under the Identity & Access heading. 
- Click Open Federation Management App. 
The Federation page displays.
Choose an organization in which you want to edit role mappings.
- Click Manage Organizations. - Atlas displays all organizations where you are an - Organization Ownerin a table.
- Click next to the desired IdP Group Name and select View. 
Assign Atlas organization roles to the desired IdP group.
At the Map Group and Assign Roles stage:
| Section | Action | 
|---|---|
| Enter Group Name | Type the name of the group as it is displayed in your IdP in this field. Atlas assigns this group to your Atlas role. Note that the name of the group can't exceed 200 characters. If the IdP group doesn't exist, you can't enter a new group name to create a new IdP group. If you use Microsoft Entra ID as your IdP and you selected Group Id as your source attribute, enter the group's Object ID in this field instead of the group's name. To learn more, see Configure Microsoft Entra ID as an Identity Provider. | 
| Assign Organization Roles | Click on each Atlas organization role that you want to assign to the IdP group. | 
- If you don't need to assign any Atlas project roles to this IdP group, click Finish. You can skip the rest of this procedure. 
- If you need to assign Atlas project roles to this IdP group, click Next. 
Assign Atlas project roles to the desired IdP group.
The Assign Project Roles stage displays a table. This table includes project names and the roles you can assign for those projects. For each project, click the project roles that you want to assign to the IdP group.
- If you don't need to review the roles assigned to this IdP group, click Finish. You can skip the rest of this procedure. 
- If you need to review the roles assigned to this IdP group, click Next. 
Verify which Atlas roles have been assigned to the desired IdP group.
The Review and Confirm stage displays the organization and project roles assigned to the IdP group.
- If you agree with the roles assigned to this IdP group, click Finish. 
- If you need to change the roles assigned to this IdP group, click Edit. Atlas returns to the Map Group and Assign Roles stage. 
Remove One Role Mapping in Your Organization and its Projects
In Atlas, go to the Federation Management console for your organization.
- If it's not already displayed, select your desired organization from the Organizations menu in the navigation bar. 
- In the sidebar, click Federation under the Identity & Access heading. 
- Click Open Federation Management App. 
The Federation page displays.
Choose an organization in which you want to map roles.
- Click Manage Organizations. - Atlas displays all organizations where you are an - Organization Ownerin a table.- Organizations connected to federated authentication display in the Actions column. 
- Organizations unconnected to federated authentication display Connect in the Actions column. 
 
- To map roles in an organization: - Click Connect to enable federated authentication for that organization if needed. 
- Click and select View. 
 
Navigate to the Organization Role Mappings page.
- Click Create Role Mappings. - Atlas displays the Organization Role Mappings page. 
- Click Delete to the right of the IdP group you want to remove. - Atlas displays the Delete role mappings for this group modal. 
- Click Delete to remove all role mappings from this IdP group. - If you don't want to remove all role mappings, click Cancel.