Docs Menu
Docs Home
/
MongoDB Manual
/
Self-Managed Deployments
/
Security
/
Authentication
/
OIDC/OAuth 2.0
/
Workforce (Humans)

Configure MongoDB with Workforce Identity Federation

On this page

  • Before you Begin
  • Steps

Configure MongoDB with Workforce Identity Federation to authenticate users across different platforms using a single set of credentials. This enhances security and simplifies user management.

Before you Begin

  • Ensure that you are on MongoDB Enterprise.

    To verify that you are using MongoDB Enterprise, pass the --version command line option to the mongod or mongos:

    mongod --version

    In the output from this command, look for the string modules: subscription or modules: enterprise to confirm you are using the MongoDB Enterprise binaries.

  • Configure your external identity provider. For more details, see Configure an External Identity Provider.

Steps

1

Configure the MongoDB server with OpenID Connect (OIDC)

To configure the MongoDB server, enable the MONGODB-OIDC authentication mechanism and use the oidcIdentityProviders to specify identity provider (IDP) configurations.

Note

When configuring MongoDB for Workforce Identity Federation, set the supportsHumanFlows field in oidcIdentityProviders to true.

You can configure the MongoDB server using your configuration file or command line.

To use your configuration file, specify two parameters in the file:

setParameter:
   authenticationMechanisms: MONGODB-OIDC
   oidcIdentityProviders: [ {
        "issuer": "https://okta-test.okta.com",
        "audience": "example@kernel.mongodb.com",
        "authNamePrefix": "okta-issuer",
        "matchPattern": "@mongodb.com$",
        "JWKSPollSecs": 86400
   } ]

To use the command line, specify the following:

mongod --auth --setParameter authenticationMechanisms=MONGODB-OIDC --setParameter \
'oidcIdentityProviders=[ {
   "issuer": "https://okta-test.okta.com",
        "audience": "example@kernel.mongodb.com",
        "authNamePrefix": "okta-issuer",
        "matchPattern": "@mongodb.com$",
        "JWKSPollSecs": 86400
   } ]'
2

(Optional) Enable internal authorization

To enable internal authorization, set the useAuthorizationClaim field of the oidcIdentityProviders parameter to false. This setting enables more flexible user management by relying on user documents rather than authorization claims from the identity provider.

setParameter:
   authenticationMechanisms: MONGODB-OIDC
   oidcIdentityProviders: [ {
        "issuer": "https://okta-test.okta.com",
        "audience": "example@kernel.mongodb.com",
        "authNamePrefix": "okta-issuer",
        "matchPattern": "@mongodb.com$",
        "useAuthorizationClaim": "false",
        "JWKSPollSecs": 86400
   } ]
mongod --auth --setParameter authenticationMechanisms=MONGODB-OIDC --setParameter \
'oidcIdentityProviders=[ {
   "issuer": "https://okta-test.okta.com",
        "audience": "example@kernel.mongodb.com",
        "authNamePrefix": "okta-issuer",
        "matchPattern": "@mongodb.com$",
        "useAuthorizationClaim": "false",
        "JWKSPollSecs": 86400
   } ]'

When you set useAuthorizationClaim to false, users who authenticate with the MONGODB-OIDC mechanism obtain their authorization rights from a user document in $external. The server searches for a user document with an _id matching the value of the authNamePrefix/principalName claim for every OIDC based authentication attempt for a user of your identity provider.

Important

If this field is set to false, do not include the authorizationClaim field.

Back

Configure an External Identity Provider

Next

Authorize Users