Docs Menu
Docs Home
/
MongoDB Atlas
/
Configure Security Features for Clusters
/
Configure Cluster Authentication and Authorization
/
Set Up User Authentication and Authorization with OIDC/OAuth2.0

Set up Workforce Identity Federation (Humans) with OIDC

On this page

  • Required Access
  • Prerequisites
  • Procedures
  • Configure OIDC Authentication
  • Add a Database User using OIDC Authentication
  • Open the Add New Database User or Group dialog.
  • Select Federated Auth.
  • Select Identity Provider and Identifier
  • Assign user or group privileges.
  • Optional: Specify the resources in the project that the user or group can access.
  • Optional: Save as temporary user or group.
  • Add the new database user or group.

In MongoDB 7.0 and later, you can manage your workforce access to MongoDB by authenticating to your own IdP supporting OpenID Connect (OIDC).

With Workforce Identity Federation, you can:

  • Manage your workforce access to MongoDB deployments through your existing IdP.

  • Enforce security policies such as password complexity, credential rotation, and MFA within your IdP.

  • Authenticate for a group of users or a single user.

You can use Workforce Identity Federation with OIDC for database access.

You can enable one OIDC Identity Provider for multiple organizations. When you enable OIDC Identity Provider in an organization, you can use it in all projects in that organization for database access.

Required Access

To manage OIDC configuration, you must have Organization Owner access to Atlas.

Prerequisites

To manage user authentication and authorization using OIDC in Atlas, you must map one or more domains to your Identity Provider.

Procedures

Important

You configure Workforce Identity Federation in two stages. To link your IdP to Atlas:

  • Configure your IdP and save its metadata.

  • Set the metadata from your IdP to Atlas.

Configure OIDC Authentication

Note

Prerequisite

This procedure requires you to have Organization Owner access and assumes you already have an OIDC or OAuth2 application created in your IdP. To learn how to configure an IdP, see Configure An External Identity Provider Application.

You can configure Workforce Identity Federation with OIDC for database access in Atlas from the Federation Management Console.

Use the Federation Management Console to:

  • Configure Identity Providers to authenticate users belonging to specified organizations.

  • Connect Atlas Organizations to your IdP.

To configure an OIDC Identity Provider in Atlas:

1

Open the Federation Overview tab.

2

Click Begin.

Click the Begin button to the right of Workforce Identity Federation.

3

Add and verify domain ownership.

  1. Click the Add Domain button.

  2. Enter a display name in the Display Name box.

  3. Enter a domain name in the Domain Name box.

  4. Select the method you would like to use to verify that you are the owner of your domain by clicking either the HTML File Upload or DNS Record button.

  5. If you selected HTML File Upload, download the provided HTML file and upload it to your domain so that it is accessible at https://<your-domain/mongodb-site-verification.html>.

  6. If you selected DNS Record, copy the provided TXT Record, and upload it to your domain provider.

  7. Click Continue.

  8. Finally, in the Domains page, click the Verify button for your newly added domain.

4

Configure identify providers.

Do one of the following steps:

  • If you do not have any Identity Providers configured yet, click Setup Identity Provider.

  • Otherwise, on the Identity Providers screen, click Configure Identity Provider(s).

5

Enter the following OIDC Protocol Settings.

Setting
Necessity
Value
Configuration Name
Required
Human-readable label that identifies this configuration.
Configuration Description
Optional
Human-readable label that describes this configuration.
Issuer URI
Required
Issuer value provided by your registered IdP application. Using this URI, MongoDB finds an OpenID Provider Configuration Document, which should be available in the /.wellknown/open-id-configuration endpoint.
Client ID
Required
Unique identifier for your registered application. Enter the clientId value from the app you registered with OIDC Identity Provider.
Audience
Required
Entity that your OIDC provider intends the token for. Enter the audience value from the app you registered with OIDC Identity Provider.
Authorization Type
Required
Select Group Membership to grant authorization based on group membership, or select User ID to grant an individual user authorization.
Requested Scopes
Optional

Tokens that give users permission to request data from the authorization endpoint.

For each additional scope you want to add, click Add more scopes.

User Claim
Required

Identifier of the claim that includes the user principal identity. Accept the default value unless your IdP uses a different claim.

Default: sub

Groups Claim
Required

Identifier of the claim that includes the principal's IdP user group membership information. Accept the default value unless your IdP uses a different claim, or you need a custom claim. This field is only required if you select Groups Membership.

Default: groups

6

Click Save and Finish.

7

Associate at least one domain to your OIDC IdP.

  1. In your OIDC card, click Associate Domains.

  2. In the Associate Domains with Identity Provider modal, select one or more domains.

  3. Click Submit.

8

Enable your OIDC Identity Provider in an organization.

  1. Click Connect Organizations.

  2. For the organization you want to connect to OIDC, click
    Configure Access.

  3. Click Connect Identity Provider.

    Note

    If you have another IdP configured, this button says Connect Identity Provider(s).

9

Select OIDC for Data Access.

In the Connect Identity Provider(s) modal, select an OIDC Identity Provider where the Purpose is Workforce Identity Federation.

10

Click Connect.

When you connect your OIDC Identity Provider to an organization, Atlas enables OIDC for all the projects within that organization.

Add a Database User using OIDC Authentication

1

Open the Add New Database User or Group dialog.

  1. In the Security section of the left navigation, click Database Access.

  2. Click Add New Database User or Group.

    Note

    If you didn't apply your OIDC IdP to Atlas, this button says Add New Database User.

2

Select Federated Auth.

In the Authentication Method section, select the box marked Federated Auth.

Note

If you didn't apply your OIDC IdP to Atlas, you cannot select this box.

3

Select Identity Provider and Identifier

In the Select Identity Provider section, select a configured OIDC Identity Provider. Then, enter either the user identifier or group identifier associated with your configured OIDC Identity Provider.

4

Assign user or group privileges.

Select the database user or group privileges. You can assign privileges to the new user or group in one or more of the following ways:

  • Select a built-in role from the Built-in Role dropdown menu. You can select one built-in role per database group within the Atlas UI. If you delete the default option, you can click Add Built-in Role to select a new built-in role.

  • If you have any custom roles defined, you can expand the Custom Roles section and select one or more roles from the Custom Roles dropdown menu. Click Add Custom Role to add more custom roles. You can also click the Custom Roles link to see the custom roles for your project.

  • Expand the Specific Privileges section and select one or more privileges from the Specific Privileges dropdown menu. Click Add Specific Privilege to add more privileges. This assigns the group specific privileges on individual databases and collections.

Atlas can apply a built-in role, multiple custom roles, and multiple specific privileges to a database group.

To remove an applied role or privilege, click Delete next to the role or privilege you wish to delete.

Note

Atlas doesn't display the Delete icon next to your Built-in Role, Custom Role, or Specific Privilege selection if you selected only one option. You can delete the selected role or privilege once you apply another role or privilege.

For more information on authorization, see Role-Based Access Control and Built-in Roles in the MongoDB manual.

5

Optional: Specify the resources in the project that the user or group can access.

By default, groups can access all the clusters and federated database instances in the project. You can restrict access to specific clusters and federated database instances by doing the following:

  1. Toggle Restrict Access to Specific Clusters/Federated Database Instances to ON.

  2. Select the clusters and federated database instances to grant the group access to from the Grant Access To list.

6

Optional: Save as temporary user or group.

Toggle Temporary User or Temporary Group to On and choose a time after which Atlas can delete the user or group from the Temporary User Duration or Temporary Group Duration dropdown. You can select one of the following time periods for the group to exist:

  • 6 hours

  • 1 day

  • 1 week

In the Database Users tab, temporary users or groups display the time remaining until Atlas will delete the users or group. Once Atlas deletes the user or group, any client or application that uses the temporary user's or group's credentials loses access to the cluster.

7

Add the new database user or group.

If you added a user, click the Add User button. If you added a group, click the Add Group button.

← Set Up User Authentication and Authorization with OIDC/OAuth2.0
Set up Workload Identity Federation (Applications) with OIDC/OAuth2.0 →

On this page