Docs Menu
Docs Home
/
MongoDB Compass
/ /

Authentication Connection Tab

On this page

  • Procedure

The Authentication tab allows you to connect to deployments that require authentication. To learn about authentication mechanisms within MongoDB, see Authentication Mechanisms.

1

In the bottom panel of the Connections Sidebar, click Add New Connection to open the New Connection modal.

If you already have connections listed in the Connections Sidebar, click the icon on the top right of the sidebar to open the New Connection modal.

2
New Advanced Connection Options
click to enlarge
3

Select your authentication method from the following options:

Provide the following information:

  • Username

  • Password

  • (Optional) Authentication Database

  • Authentication Mechancism:

    • Default


      The Default setting selects the first authentication mechanism supported by the server according to an order of preference.


      With the Default setting, MongoDB tries to authenticate using the following mechanisms in the order they are listed:

      1. SCRAM-SHA-256

      2. SCRAM-SHA-1

      3. MONGODB-CR


    • SCRAM-SHA-1

    • SCRAM-SHA-256

Select OIDC if the deployment uses OpenID Connect as its authentication mechanism.

Provide the following information:

Field
Description

Username

Optional. OpenID Connect username.

Auth Code Flow Redirect URI

Optional. Specify a URI where the identity provider redirects you after authentication. The URI must match the configuration of the Identity Provider. The default is http://localhost:27097/redirect.

Consider Target Endpoint Trusted

Optional. Allows connecting to a target endpoint that is not in the list of endpoints that are considered trusted by default. Only use this option when connecting to servers that you trust.

Enable Device Authentication Flow

Optional. When the Show Device Auth Flow Checkbox setting is enabled, Compass can provide you with a URL and code to finish authentication.

This is a less secure authentication flow that can be used as a fallback when browser-based authentication is unavailable.

Use Application-Level Proxy Settings

Optional. Use the application-level proxy settings specified in the Compass Settings panel. Enabled by default. If you don't enable application-level proxy settings, Compass uses the same proxy to connect to both the cluster and identity provider.

Send a nonce in the Auth Code Request

Optional. Includes a random nonce as a part of the auth code request to prevent replay attacks. Enabled by default.

The nonce is an important security component. Only disable this setting if it is not supported by your OIDC provider.

Select X.509 if the deployment uses X.509 as its authentication mechanism.

Note

X.509 Authentication requires a client certificate. To enable TLS and add a client certificate, see the TLS / SSL tab in Compass.

Select Kerberos if the deployment uses Kerberos as its authentication mechanism.

Provide the following information:

Field
Description

Principal

Every participant in the authenticated communication is known as a "principal", and every principal must have a unique name.

(Optional) Service Name

Every MongoDB mongod and mongos instance (or mongod.exe and mongos.exe on Windows) must have an associated service name. The default is mongodb.

(Optional) Canonicalize Host Name

Kerberos uses the canonicalized form of the host name (cname) when constructing the principal for MongoDB Compass.

(Optional) Service Realm

The service realm is the domain over which a Kerberos authentication server has the authority to authenticate a user.

If you choose to Canonicalize Host Name, you can specify one of the following options:

Option
Description

Forward

The driver does a cname lookup on the kerberos hostname.

Forward and Reverse

Performs a forward DNS lookup and then a reverse lookup on that value to canonicalize the hostname.

For more information on principal name canonicalization in Kerberos, see this RFC document.

(Optional) Provide password directly

Used to verify your identity. To show the Kerberos password field, you must enable the showKerberosPasswordField option.

When you authenticate with Kerberos on Windows, the Principal you specify must match the principal of the security context that Compass is running. Normally, this is the logged-in user who is running Compass.

To authenticate as a different Kerberos user, run MongoDB Compass as the chosen user and specify the Principal for that user. To run MongoDB Compass as a different user, either:

  • Hold Shift and right-click the MongoDB Compass program icon to select Run as a different user.

  • Use the runas command-line tool. For example, the following command runs MongoDB Compass as a user named admin:

    runas /profile /user:mymachine\admin <path to MongoDB Compass>

After you start MongoDB Compass as the chosen user, to authenticate against your Kerberos-enabled MongoDB deployment, specify the Principal for the corresponding user.

Select LDAP if the deployment uses LDAP as its authentication mechanism.

Provide the following information:

  • Username

  • Password

Select AWS IAM if the deployment uses AWS IAM as its authentication mechanism.

The following fields are optional as they can be defined on your platform using their respective AWS IAM environment variables. MongoDB Compass will use these environment variable values to authenticate; you do not need to specify them in the connection string.

  • (Optional) AWS Access Key Id

  • (Optional) AWS Secret Access Key

  • (Optional) AWS Session Token

4
5

Tip

See also:

To disconnect from your deployment, see Disconnect from MongoDB.

Back

General

On this page