Authorize Users with Workforce Identity Federation
You can add a database user to MongoDB using Workforce authentication. This process allows your organization’s identity provider to manage user access, ensuring secure and centralized authentication for database operations.
Before you Begin
You must Configure an External Identity Provider for Workforce Authentication.
You must Configure MongoDB with Workforce Identity Federation.
Note
Your oidcIdentityProviders configuration determines the
approach you must take to authorize users:
If the
useAuthorizationClaimfield is set tofalseto enable internal authorization, authorize users with user IDs.If the field is set to
true, authorize users with identity provider groups.
Steps
Create MongoDB roles
In the admin database, use the db.createRole() method to create
roles that map the identity provider group roles to MongoDB roles.
Use the following format to create roles:
<authNamePrefix>/<authorizationClaim>
The oidcIdentityProviders parameter provides the authNamePrefix
field and the authorizationClaim field. For example:
db.createRole( { role: "okta/Everyone", privileges: [ ], roles: [ "readWriteAnyDatabase" ] } )
Create a user
To create users and add them to your MongoDB database, use the
db.createUser() command.
Use the following format for the user field, where the authNamePrefix
and authorizationClaim values come from the oidcIdentityProviders
parameter:
<authNamePrefix>/<authorizationClaim>
To create a user in MongoDB with the authNamePrefix of okta and
an authorizationClaim of jane.doe, run the following:
db.createUser( { user: "okta/jane.doe", roles: [ { role: "readWriteAnyDatabase", db: "admin" } ] } )
Next Steps
You can connect an application to MongoDB using Workforce Identity Federation in the following ways:
For more details on MongoDB Shell OIDC options, see Authentication Options