Set up Workforce Identity Federation (Humans) with OIDC
On this page
- Required Access
- Prerequisites
- Procedures
- Configure OIDC Authentication
- Add a Database User using OIDC Authentication
- Open the Add New Database User or Group dialog.
- Select Federated Auth.
- Select Identity Provider and Identifier
- Assign user or group privileges.
- Optional: Specify the resources in the project that the user or group can access.
- Optional: Save as temporary user or group.
- Add the new database user or group.
In MongoDB 7.0 and later, you can manage your workforce access to MongoDB by authenticating to your own IdP supporting OpenID Connect (OIDC).
With Workforce Identity Federation, you can:
Manage your workforce access to MongoDB deployments through your existing IdP.
Enforce security policies such as password complexity, credential rotation, and MFA within your IdP.
Authenticate for a group of users or a single user.
You can use Workforce Identity Federation with OIDC for database access.
You can enable one OIDC Identity Provider for multiple organizations. When you enable OIDC Identity Provider in an organization, you can use it in all projects in that organization for database access.
Required Access
To manage OIDC configuration, you must have
Organization Owner
access to Atlas.
Prerequisites
To manage user authentication and authorization using OIDC in Atlas, you must map one or more domains to your Identity Provider.
Procedures
Important
You configure Workforce Identity Federation in two stages. To link your IdP to Atlas:
Configure your IdP and save its metadata.
Set the metadata from your IdP to Atlas.
Configure OIDC Authentication
Note
Prerequisite
This procedure requires you to have Organization Owner
access and assumes you already have an OIDC or OAuth2 application
created in your IdP. To learn
how to configure an IdP, see Configure An External Identity Provider Application.
You can configure Workforce Identity Federation with OIDC for database access in Atlas from the Federation Management Console.
Use the Federation Management Console to:
Configure Identity Providers to authenticate users belonging to specified organizations.
Connect Atlas Organizations to your IdP.
To configure an OIDC Identity Provider in Atlas:
Add and verify domain ownership.
Click the Add Domain button.
Enter a display name in the Display Name box.
Enter a domain name in the Domain Name box.
Select the method you would like to use to verify that you are the owner of your domain by clicking either the HTML File Upload or DNS Record button.
If you selected HTML File Upload, download the provided HTML file and upload it to your domain so that it is accessible at
https://<your-domain/mongodb-site-verification.html>
.If you selected DNS Record, copy the provided
TXT Record
, and upload it to your domain provider.Click Continue.
Finally, in the Domains page, click the Verify button for your newly added domain.
Enter the following OIDC Protocol Settings.
Setting | Necessity | Value |
---|---|---|
Configuration Name | Required | Human-readable label that identifies this configuration. |
Configuration Description | Optional | Human-readable label that describes this configuration. |
Issuer URI | Required | Issuer value provided by your registered IdP application.
Using this URI, MongoDB finds an OpenID Provider Configuration
Document, which should be available in the
/.wellknown/open-id-configuration endpoint. |
Client ID | Required | Unique identifier for your registered application. Enter
the clientId value from the app you registered
with OIDC Identity Provider. |
Audience | Required | Entity that your OIDC provider intends the token for. Enter
the audience value from the app you registered
with OIDC Identity Provider. |
Authorization Type | Required | Select Group Membership to grant authorization based on group
membership, or select User ID to grant an individual
user authorization. |
Requested Scopes | Optional | Tokens that give users permission to request data from the authorization endpoint. For each additional scope you want to add, click Add more scopes. |
User Claim | Required | Identifier of the claim that includes the user principal identity. Accept the default value unless your IdP uses a different claim. Default: |
Groups Claim | Required | Identifier of the claim that includes the principal's IdP
user group membership information. Accept the default value
unless your IdP uses a different claim, or you need a custom
claim. This field is only required if you select
Default: |
Add a Database User using OIDC Authentication
Open the Add New Database User or Group dialog.
In the Security section of the left navigation, click Database Access.
Click Add New Database User or Group.
Note
If you didn't apply your OIDC IdP to Atlas, this button says Add New Database User.
Select Federated Auth.
In the Authentication Method section, select the box marked Federated Auth.
Note
If you didn't apply your OIDC IdP to Atlas, you cannot select this box.
Assign user or group privileges.
Select the database user or group privileges. You can assign privileges to the new user or group in one or more of the following ways:
Select a built-in role from the Built-in Role dropdown menu. You can select one built-in role per database group within the Atlas UI. If you delete the default option, you can click Add Built-in Role to select a new built-in role.
If you have any custom roles defined, you can expand the Custom Roles section and select one or more roles from the Custom Roles dropdown menu. Click Add Custom Role to add more custom roles. You can also click the Custom Roles link to see the custom roles for your project.
Expand the Specific Privileges section and select one or more privileges from the Specific Privileges dropdown menu. Click Add Specific Privilege to add more privileges. This assigns the group specific privileges on individual databases and collections.
Atlas can apply a built-in role, multiple custom roles, and multiple specific privileges to a database group.
To remove an applied role or privilege, click Delete next to the role or privilege you wish to delete.
Note
Atlas doesn't display the Delete icon next to your Built-in Role, Custom Role, or Specific Privilege selection if you selected only one option. You can delete the selected role or privilege once you apply another role or privilege.
For more information on authorization, see Role-Based Access Control and Built-in Roles in the MongoDB manual.
Optional: Specify the resources in the project that the user or group can access.
By default, groups can access all the clusters and federated database instances in the project. You can restrict access to specific clusters and federated database instances by doing the following:
Toggle Restrict Access to Specific Clusters/Federated Database Instances to ON.
Select the clusters and federated database instances to grant the group access to from the Grant Access To list.
Optional: Save as temporary user or group.
Toggle Temporary User or Temporary Group to On and choose a time after which Atlas can delete the user or group from the Temporary User Duration or Temporary Group Duration dropdown. You can select one of the following time periods for the group to exist:
6 hours
1 day
1 week
In the Database Users tab, temporary users or groups display the time remaining until Atlas will delete the users or group. Once Atlas deletes the user or group, any client or application that uses the temporary user's or group's credentials loses access to the cluster.