MongoDB Atlas role mappings not working when using AWS single-sign on as the identity provider

Question

I've setup our AWS SSO (IAM Identity Centre) to provide federated authentication to our MongoDB Atlas organisation by using the AWS built-in MongoDB application within AWS SSO.

I've also setup role mappings by following https://www.mongodb.com/docs/atlas/security/manage-role-mapping/, ensuring that I'm using matching group names on both Mongo + AWS ends as well as ensuring the user is in the group in AWS SSO.

When adding the role mapping, Atlas tells me to ensure the memberOf claim is included in the SAML assertion. I couldn't find documentation on exactly how to do this, but I've guessed and used ${user:groups}, which I found on another AWS tutorial about using SSO to authenticate with a VPN.

My colleague was able to click the MongoDB application button in their AWS SSO dashboard and they were authenticated with MongoDB Atlas and logged in. However, the role mappings are not being used and my colleague is just receiving the default role set for the organisation.

I've checked and triple checked the instructions and ensured my colleague is in the right groups in AWS SSO and that the group names exactly match on Atlas' end.

How can I successfully configure role mappings?

Answer 1

I couldn't find it documented, but the solution is not use AWS SSO group names but instead use the group IDs in the role mappings within Atlas.

Changing the role mappings to the group IDs shown in AWS SSO resolves the problem and users pick up the expected role.