Configure MongoDB with OpenID Connect
On this page
MongoDB Enterprise provides support for OpenID Connect Authentication. You can use OpenID Connect to configure single sign-on between your MongoDB database and a third-party identity provider.
Before you Begin
Set up an OpenID Connect client profile with your chosen provider: Microsoft Azure AD or Okta.
When using
mongosh
to connect, if you use theoidcRedirectUri
option, the URI must match the configuration of the identity provider.Ensure that you are on MongoDB Enterprise.
To verify that you are using MongoDB Enterprise, pass the
--version
command line option to themongod
ormongos
:mongod --version In the output from this command, look for the string
modules: subscription
ormodules: enterprise
to confirm you are using the MongoDB Enterprise binaries.
Steps
Configure the MongoDB server
To configure the MongoDB server, enable the MONGODB-OIDC
authentication mechanism and use the oidcIdentityProviders
to specify identity provider (IDP) configurations.
You can configure the MongoDB server using your configuration file or the command line.
To configure using your configuration file, specify two parameters in the file:
setParameter: authenticationMechanisms: MONGODB-OIDC oidcIdentityProviders: [ {"issuer": "https://...", ...} ]
To configure using the command line, specify the following:
mongod --auth --setParameter authenticationMechanisms=MONGODB-OIDC --setParameter \ 'oidcIdentityProviders=[ {"issuer": "https://...", ...} ]'
Create MongoDB roles
In the admin
database, use the db.createRole()
method to create
roles that map the identity provider group roles to MongoDB roles.
Use the following format to create roles:
<authNamePrefix>/<authorizationClaim>
The oidcIdentityProviders
parameter provides the authNamePrefix
field and the authorizationClaim
field. For example:
db.createRole( { role: "okta/Everyone", privileges: [ ], roles: [ "readWriteAnyDatabase" ] } )