You are viewing an offline version of MongoDB documentation. Some page features might be unavailable. To view the latest version of the page or use interactive features, visit the live page.

Database Manual

Self-Managed Deployments

Configure MongoDB with Workforce Identity Federation

Configure MongoDB with Workforce Identity Federation to authenticate users across different platforms using a single set of credentials. This enhances security and simplifies user management.

Important

OpenID Connect (OIDC) is only supported on Linux.

Before you Begin

Ensure that you are on MongoDB Enterprise.
To verify that you are using MongoDB Enterprise, pass the --version command line option to the mongod or mongos:
```
mongod --version
```
In the output from this command, look for the string modules: subscription or modules: enterprise to confirm you are using the MongoDB Enterprise binaries.
Configure your external identity provider. For more details, see Configure an External Identity Provider for Workforce Authentication.

Steps

Configure the MongoDB server with OpenID Connect (OIDC)

To configure the MongoDB server, enable the MONGODB-OIDC authentication mechanism and use the oidcIdentityProviders to specify identity provider (IDP) configurations.

Note

When configuring MongoDB for Workforce Identity Federation, set the supportsHumanFlows field in oidcIdentityProviders to true.

You can configure the MongoDB server using your configuration file or command line.

To use your configuration file, specify two parameters in the file:

setParameter:
   authenticationMechanisms: MONGODB-OIDC
   oidcIdentityProviders: [ {
        "issuer": "https://okta-test.okta.com",
        "audience": "example@kernel.mongodb.com",
        "authNamePrefix": "okta-issuer",
        "matchPattern": "@mongodb.com$",
        "JWKSPollSecs": 86400
   } ]

To use the command line, specify the following:

mongod --auth --setParameter authenticationMechanisms=MONGODB-OIDC --setParameter \
'oidcIdentityProviders=[ {
   "issuer": "https://okta-test.okta.com",
        "audience": "example@kernel.mongodb.com",
        "authNamePrefix": "okta-issuer",
        "matchPattern": "@mongodb.com$",
        "JWKSPollSecs": 86400
   } ]'

(Optional) Enable internal authorization

To enable internal authorization, set the useAuthorizationClaim field of the oidcIdentityProviders parameter to false. This setting enables more flexible user management by relying on user documents rather than authorization claims from the identity provider.

setParameter:
   authenticationMechanisms: MONGODB-OIDC
   oidcIdentityProviders: [ {
        "issuer": "https://okta-test.okta.com",
        "audience": "example@kernel.mongodb.com",
        "authNamePrefix": "okta-issuer",
        "matchPattern": "@mongodb.com$",
        "useAuthorizationClaim": "false",
        "JWKSPollSecs": 86400
   } ]

mongod --auth --setParameter authenticationMechanisms=MONGODB-OIDC --setParameter \
'oidcIdentityProviders=[ {
   "issuer": "https://okta-test.okta.com",
        "audience": "example@kernel.mongodb.com",
        "authNamePrefix": "okta-issuer",
        "matchPattern": "@mongodb.com$",
        "useAuthorizationClaim": "false",
        "JWKSPollSecs": 86400
   } ]'

When you set useAuthorizationClaim to false, users who authenticate with the MONGODB-OIDC mechanism obtain their authorization rights from a user document in $external. The server searches for a user document with an _id matching the value of the authNamePrefix/principalName claim for every OIDC based authentication attempt for a user of your identity provider.

Important

If this field is set to false, do not include the authorizationClaim field.

Back

Configure an External Identity Provider for Workforce Authentication

Authorize Users with Workforce Identity Federation