Set up Workforce Identity Federation with OIDC
On this page
- Required Access
- Prerequisites
- Procedures
- Configure An External Identity Provider Application
- Configure Workforce Identity Federation Authentication
- Configure OIDC Authorization
- Connect to MongoDB with Workforce Identity Federation
- Manage an Existing Workforce Identity Federation Configuration
- Revoke JWKS
- Edit a Configuration
- Delete a Configuration
In MongoDB 7.0 and later, Workforce Identity Federation lets you use an external Identity Provider (IdP), such as your corporate IdP, to authenticate and authorize a given workforce, such as employees, partners, and contractors.
With Workforce Identity Federation, you can:
Manage your workforce access to MongoDB deployments through your existing IdP.
Enforce security policies such as password complexity, credential rotation, and multi-factor authentication within your IdP.
You can only create one Workforce Identity Federation per project, but you can edit or recreate the configuration at any time.
Required Access
To configure Workforce Identity Federation, you must have
Project Owner
access to Ops Manager.
Prerequisites
You must have the following:
mongosh
1.9.1 or later.MongoDB 7.0 or later.
At least one other authentication mechanism with MongoDB Agent configured.
Note
The MongoDB Agent cannot connect to your deployment via OIDC. You must enable an additional auth mechanism for the MongoDB Agent. If Ops Manager doesn't manage Monitoring or Backup, you must manually configure them to use the alternative authentication mechanism.
Procedures
To access Ops Manager deployments with Workforce Identity Federation, complete the following steps:
Configure a Workforce Identity Provider (one-time setup).
Grant external identities (user principals) or groups access.
Configure An External Identity Provider Application
Note
If you want to reset Authentication and TLS settings for your project, first unmanage any MongoDB deployments that Ops Manager manages in your project.
To configure Workforce Identity Federation with OIDC, register your OIDC application with an IdP that supports OIDC standard, such as Microsoft Entra ID, Okta, or Ping Identity.
You can configure your OIDC application for the following grant types:
Authorization Code Flow with PKCE
Device Authorization Flow
MongoDB recommends that you use Authorization Code Flow with PKCE for increased security. Use Device Authorization Flow only if your users need to access the database from machines with no browser.
The OIDC application registration steps can vary based on your IdP. Ensure that you complete the following items during your registration process:
The generic registration steps for your OIDC application are as follows:
(Optional) Allow refresh tokens if you want MongoDB clients to refresh the tokens for a better user experience.
(Optional) Configure the access token lifetime (exp
claim) to align with
your database connection session time.
After you register your application, save the issuer
,
clientId
, and audience
values to use in the next stage of the
configuration.
To register your OIDC application with Microsoft Entra ID:
Register an application.
Navigate to App registrations.
In your Azure portal account, search and click Microsoft Entra ID.
In the Manage section of the left navigation, click App registrations.
Click New registration.
Apply the following values.
FieldValueName
Ops Manager Database - Workforce
Supported Account Types
Accounts in this organizational directory only (single tenant)
Redirect URI
- Public client/native (mobile & desktop)-http://localhost:27097/redirect
Click Register.
To learn more about registering an application, see Azure Documentation.
Add a group claim.
Navigate to Token Configuration.
In the Manage section of the left navigation, click Token Configuration.
Click Add groups claim.
In the Edit groups claim modal, select Security.
What groups you select depend on the type of groups you configured in your Azure environment. You may need to select a different type of group to send the appropriate group information.
In the Customize token properties by type section, only select Group ID.
Click Add.
To learn more about adding a group claim, see Azure Documentation.
Add a user identifier claim to the access token.
Click Add optional claim.
In the Add optional claim modal, select Access.
Select a claim that carries a user identifier that you can refer to in MongoDB access logs such as an email.
You can use the UPN claim to identify users with their email address.
Click Add.
In the Microsoft Graph Permissions note, check the box, and click Add.
To learn more, see Azure Documentation.
Update the manifest.
In the Manage section of the left navigation, click Manifest.
Update the accessTokenAcceptedVersion from
null
to2
.The number
2
represents Version 2 of Microsoft's access tokens. Other applications can use this as a signed attestation of the Active Directory-managed user's identity. Version 2 ensures that the token is a JSON Web Token that MongoDB understands.Click Save.
To learn more about adding an optional claim, see Azure Documentation.
Remember metadata.
In the left navigation, click Overview.
Copy the Application (client) ID value.
In the top navigation, click Endpoints.
Copy the OpenID Connect metadata document value without the
/.well-known/openid-configuration
part.You can also get this value by copying the value for
issuer
in the OpenID Connect metadata document URL.
The following table shows what these Microsoft Entra ID UI values map to in our MongoDB Atlas Configuration Properties:
Microsoft Entra ID UI | MongoDB Atlas Configuration Property |
---|---|
Application (client) ID | Client ID Audience |
OpenID Connect metadata document (without /.well-known/openid-configuration) | Issuer URI. |
Configure Workforce Identity Federation Authentication
To configure Workforce Identity Federation with OIDC, complete the following procedure.
Note
Workforce Identity Federation supports only JWT for authentication. It doesn't support opaque access tokens.
Navigate to the Security Settings dialog for your deployment.
Select the organization that contains your project from the Organizations menu in the navigation bar.
Select your project from the Projects menu in the navigation bar.
Click Deployment in the sidebar.
Click the Security tab.
Click the Settings tab.
Perform one of the following actions:
If this is your first time configuring TLS, authentication, or authorization settings for this project, click Get Started.
If you have already configured TLS authentication, or authorization settings for this project, click Edit.
Optional: Specify the TLS Settings.
Field | Action | ||||
---|---|---|---|---|---|
MongoDB Deployment Transport Layer Security (TLS) | Toggle this slider to ON. | ||||
TLS CA File Path | The TLS Certificate Authority file is a The encrypted private key for the Type the file path to the TLS Certificate Authority file on every host running a MongoDB process:
This enables the Click Validate to test that each host in your deployment has a TLS Certificate Authority at the paths you specified. | ||||
Cluster TLS CA File Path | The If you do not specify the
| ||||
Client Certificate Mode | Select if client applications or MongoDB Agents must present a TLS certificate when connecting to TLS-enabled MongoDB deployments. Each MongoDB deployment checks for certificates from these client hosts when they try to connect. If you choose to require the client TLS certificates, make sure they are valid. Accepted values are:
|
Enter the following settings.
Setting | Necessity | Value |
---|---|---|
Configuration Name | Required | Unique label that identifies this configuration. This label is visible to your Ops Manager users and is used when creating users and roles for authorization. It is case-sensitive and can only contain the following characters:
After saving the configuration, you can't edit the configuration name. |
Issuer URI | Required | Issuer value provided by your registered IdP application.
Using this URI, MongoDB finds an OpenID Provider Configuration
Document, which should be available in the
|
Client ID | Required | Unique identifier for your registered application. Enter
the |
Audience | Required | Entity that your external identity provider intends the token for. Enter
the |
Requested Scopes | Optional | Tokens that give users permission to request data from the authorization endpoint. For each additional scope you want to add, click Add more scopes. |
Authorization Type | Required | Select |
Customize User Claim | Required | The identifier of the claim that includes the user principal identity. Accept the default value unless your IdP uses a different claim. Default: |
Customize Group Claim | Required | Required if you select Default: |
Configure OIDC Authorization
MongoDB does not explicitly create database users for OIDC. It maps OIDC users to MongoDB roles based on the configuration.
Select a tab depending on the authorization type that you selected when configuring OIDC authentication.
If you selected the Group Membership
authorization type,
complete the following steps to create a custom role that grants
authorization based on IdP user group membership:
Navigate to the MongoDB Roles tab for your deployment.
Select the organization that contains your project from the Organizations menu in the navigation bar.
Select your project from the Projects menu in the navigation bar.
Click Deployment in the sidebar.
Click the Security tab.
Click the MongoDB Roles tab.
Create the OIDC role.
Enter the following fields:
FieldNecessityDescriptionIdentifier
Required
In the Database box, enter
admin
.In the Name box, enter your OIDC IdP configuration name and the group name from your external identity provider, separated by a slash
/
:{configuration_name}/{group_name} Inherits From
Optional
A list of role name and database pairs. The format for these pairs are
roleName@dbName
.Authentication Restrictions
Optional
A list of IP addresses or CIDR notations that you want to restrict from your IdP.
Privilege Actions by Resource
Optional
Actions permitted on the resource.
To learn more, see Privilege Actions.
Click Add Role.
If you selected the User ID
authorization type,
create a new user to grant an individual user authorization:
Navigate to the MongoDB Users tab for your deployment.
Select the organization that contains your project from the Organizations menu in the navigation bar.
Select your project from the Projects menu in the navigation bar.
Click Deployment in the sidebar.
Click the Security tab.
Click the MongoDB Users tab.
Add the OIDC user.
Note
Before you add users, ensure that you've created any roles that you want to assign to the users.
Complete the user account fields:
FieldDescriptionIdentifier
In the first field, enter the
$external
database.In the second field, enter a username using your OIDC IdP configuration name and the user principal claim from your configuration separated by a slash
/
:{configuration_name}/{user_principal_claim}
Roles
Enter any available user-defined roles and built-in roles into this box. The combo box provides a list of existing roles when you click in it.
Authentication Restrictions
Click Add Entry.
Add one or more IP addresses and/or CIDR blocks in either the Client Source or Server Address boxes. Separate multiple addresses or blocks with commas.
Client Source restricts which addresses this user can authenticate and use the given roles.
Server Address restricts the addresses this user can authenticate and has the given roles.
Click Save.
To add another entry, click Add Entry.
Click Add User.
Connect to MongoDB with Workforce Identity Federation
Use mongosh
or Compass
to connect an application to MongoDB with Workforce Identity Federation authentication.
Manage an Existing Workforce Identity Federation Configuration
To manage your Workforce Identity Federation configuration, you can perform the following actions.
Revoke JWKS
Note
Don't use this feature to rotate your signing keys. When you rotate your OIDC IdP signing keys, MongoDB fetches the JWKS automatically upon expiration of the existing access tokens.
If your private key is compromised, you can immediately revoke your JSON Web Key Sets (JWKS) cached in MongoDB nodes:
Navigate to the Security Settings dialog for your deployment.
If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it is not already displayed, select your desired project from the Projects menu in the navigation bar.
If it is not already displayed, click Deployment in the sidebar.
Click the Security tab.
Click the Settings tab.
Edit a Configuration
To edit your Workforce Identity Federation configuration:
Navigate to the Security Settings dialog for your deployment.
Select the organization that contains your project from the Organizations menu in the navigation bar.
Select your project from the Projects menu in the navigation bar.
Cick Deployment in the sidebar.
Click the Security tab.
Click the Settings tab.
Delete a Configuration
To delete your Workforce Identity Federation configuration:
Navigate to the Security Settings dialog for your deployment.
Select the organization that contains your project from the Organizations menu in the navigation bar.
Select your project from the Projects menu in the navigation bar.
Click Deployment in the sidebar.
Click the Security tab.
Click the Settings tab.