Configure Self-Managed MongoDB with OpenID Connect
On this page
MongoDB Enterprise provides support for OpenID Connect Authentication. You can use OpenID Connect to configure single sign-on between your MongoDB database and a third-party identity provider.
Before you Begin
Set up an OpenID Connect client profile with your chosen provider: Microsoft Azure AD or Okta.
When using
mongoshto connect, if you use theoidcRedirectUrioption, the URI must match the configuration of the identity provider.Ensure that you are on MongoDB Enterprise.
To verify that you are using MongoDB Enterprise, pass the
--versioncommand line option to themongodormongos:mongod --version In the output from this command, look for the string
modules: subscriptionormodules: enterpriseto confirm you are using the MongoDB Enterprise binaries.
Steps
Configure the MongoDB server
To configure the MongoDB server, enable the MONGODB-OIDC
authentication mechanism and use the oidcIdentityProviders
to specify identity provider (IDP) configurations.
You can configure the MongoDB server using your configuration file or the command line.
To configure using your configuration file, specify two parameters in the file:
setParameter: authenticationMechanisms: MONGODB-OIDC oidcIdentityProviders: [ {"issuer": "https://...", ...} ]
To configure using the command line, specify the following:
mongod --auth --setParameter authenticationMechanisms=MONGODB-OIDC --setParameter \ 'oidcIdentityProviders=[ {"issuer": "https://...", ...} ]'
Create MongoDB roles
In the admin database, use the db.createRole() method to create
roles that map the identity provider group roles to MongoDB roles.
Use the following format to create roles:
<authNamePrefix>/<authorizationClaim>
The oidcIdentityProviders parameter provides the authNamePrefix
field and the authorizationClaim field. For example:
db.createRole( { role: "okta/Everyone", privileges: [ ], roles: [ "readWriteAnyDatabase" ] } )