Docs Menu
Docs Home
/
MongoDB Compass
/
Connect
/
Advanced Options

Authentication Connection Tab

On this page

  • Procedure

The Authentication tab allows you to connect to deployments that require authentication. To learn about authentication mechanisms within MongoDB, see Authentication Mechanisms.

Procedure

1

Open the New Connection modal.

In the bottom panel of the Connections Sidebar, click Add New Connection to open the New Connection modal.

If you already have connections listed in the Connections Sidebar, click the icon on the top right of the sidebar to open the New Connection modal.

2

Click Advanced Connection Options.

New Advanced Connection Options
click to enlarge
3

Click the Authentication tab.

Select your authentication method from the following options:

Username / Password

Provide the following information:

  • Username

  • Password

  • (Optional) Authentication Database

  • Authentication Mechancism:

    • Default


      The Default setting selects the first authentication mechanism supported by the server according to an order of preference.


      With the Default setting, MongoDB tries to authenticate using the following mechanisms in the order they are listed:

      1. SCRAM-SHA-256

      2. SCRAM-SHA-1

      3. MONGODB-CR


    • SCRAM-SHA-1

    • SCRAM-SHA-256

OIDC

Select OIDC if the deployment uses OpenID Connect as its authentication mechanism.

Provide the following information:

Field
Description
Username
Optional. OpenID Connect username.
Auth Code Flow Redirect URI
Optional. Specify a URI where the identity provider redirects you after authentication. The URI must match the configuration of the Identity Provider. The default is http://localhost:27097/redirect.
Consider Target Endpoint Trusted
Optional. Allows connecting to a target endpoint that is not in the list of endpoints that are considered trusted by default. Only use this option when connecting to servers that you trust.
Enable Device Authentication Flow

Optional. When the Show Device Auth Flow Checkbox setting is enabled, Compass can provide you with a URL and code to finish authentication.

This is a less secure authentication flow that can be used as a fallback when browser-based authentication is unavailable.

Use Application-Level Proxy Settings
Optional. Use the application-level proxy settings specified in the Compass Settings panel. Enabled by default. If you don't enable application-level proxy settings, Compass uses the same proxy to connect to both the cluster and identity provider.

X.509

Select X.509 if the deployment uses X.509 as its authentication mechanism.

Note

X.509 Authentication requires a client certificate. To enable TLS and add a client certificate, see the TLS / SSL tab in Compass.

Kerberos

Select Kerberos if the deployment uses Kerberos as its authentication mechanism.

Provide the following information:

Field
Description
Principal
Every participant in the authenticated communication is known as a "principal", and every principal must have a unique name.
(Optional) Service Name
Every MongoDB mongod and mongos instance (or mongod.exe and mongos.exe on Windows) must have an associated service name. The default is mongodb.
(Optional) Canonicalize Host Name
Kerberos uses the canonicalized form of the host name (cname) when constructing the principal for MongoDB Compass.
(Optional) Service Realm

The service realm is the domain over which a Kerberos authentication server has the authority to authenticate a user.

If you choose to Canonicalize Host Name, you can specify one of the following options:

Option
Description
Forward
The driver does a cname lookup on the kerberos hostname.
Forward and Reverse
Performs a forward DNS lookup and then a reverse lookup on that value to canonicalize the hostname.

For more information on principal name canonicalization in Kerberos, see this RFC document.

(Optional) Provide password directly
Used to verify your identity. To show the Kerberos password field, you must enable the showKerberosPasswordField option.
Authenticate as a Different Kerberos User on Windows

When you authenticate with Kerberos on Windows, the Principal you specify must match the principal of the security context that Compass is running. Normally, this is the logged-in user who is running Compass.

To authenticate as a different Kerberos user, run MongoDB Compass as the chosen user and specify the Principal for that user. To run MongoDB Compass as a different user, either:

  • Hold Shift and right-click the MongoDB Compass program icon to select Run as a different user.

  • Use the runas command-line tool. For example, the following command runs MongoDB Compass as a user named admin:

    runas /profile /user:mymachine\admin <path to MongoDB Compass>

After you start MongoDB Compass as the chosen user, to authenticate against your Kerberos-enabled MongoDB deployment, specify the Principal for the corresponding user.

LDAP

Select LDAP if the deployment uses LDAP as its authentication mechanism.

Provide the following information:

  • Username

  • Password

AWS IAM

Select AWS IAM if the deployment uses AWS IAM as its authentication mechanism.

The following fields are optional as they can be defined on your platform using their respective AWS IAM environment variables. MongoDB Compass will use these environment variable values to authenticate; you do not need to specify them in the connection string.

  • (Optional) AWS Access Key Id

  • (Optional) AWS Secret Access Key

  • (Optional) AWS Session Token

4

(Optional) For advanced connection configuration options, click the Advanced tab.

5

Click Connect.

Tip

See also:

To disconnect from your deployment, see Disconnect from MongoDB.

Back

General

Next

TLS/SSL

On this page