Configure MongoDB with Workload Identity Federation
On this page
Configure MongoDB with Workload Identity Federation to authenticate services across different platforms. This enhances security and simplifies service identity management.
Before you Begin
Ensure that you are on MongoDB Enterprise.
To verify that you are using MongoDB Enterprise, pass the
--version
command line option to themongod
ormongos
:mongod --version In the output from this command, look for the string
modules: subscription
ormodules: enterprise
to confirm you are using the MongoDB Enterprise binaries.Configure your external identity provider. For more details, see Configure an External Identity Provider.
Steps
Configure the MongoDB server with OpenID Connect (OIDC)
To configure the MongoDB server, enable the MONGODB-OIDC
authentication mechanism and use the oidcIdentityProviders
to specify identity provider (IDP) configurations.
Note
When configuring MongoDB for Workload Identity Federation,
set the supportsHumanFlows
field in oidcIdentityProviders
to false
.
You can configure the MongoDB server using your configuration file or command line.
To use your configuration file, specify two parameters in the file:
setParameter: authenticationMechanisms: MONGODB-OIDC oidcIdentityProviders: [ { "issuer": "https://okta-test.okta.com", "audience": "example@kernel.mongodb.com", "authNamePrefix": "okta-issuer", "matchPattern": "@mongodb.com$", "JWKSPollSecs": 86400 } ]
To use the command line, specify the following:
mongod --auth --setParameter authenticationMechanisms=MONGODB-OIDC --setParameter \ 'oidcIdentityProviders=[ { "issuer": "https://okta-test.okta.com", "audience": "example@kernel.mongodb.com", "authNamePrefix": "okta-issuer", "matchPattern": "@mongodb.com$", "JWKSPollSecs": 86400 } ]'
(Optional) Enable internal authorization
To enable internal authorization, set the useAuthorizationClaim
field
of the oidcIdentityProviders
parameter to false
. This setting
enables more flexible user management by relying on user documents rather
than authorization claims from the identity provider.
setParameter: authenticationMechanisms: MONGODB-OIDC oidcIdentityProviders: [ { "issuer": "https://okta-test.okta.com", "audience": "example@kernel.mongodb.com", "authNamePrefix": "okta-issuer", "matchPattern": "@mongodb.com$", "useAuthorizationClaim": "false", "JWKSPollSecs": 86400 } ]
mongod --auth --setParameter authenticationMechanisms=MONGODB-OIDC --setParameter \ 'oidcIdentityProviders=[ { "issuer": "https://okta-test.okta.com", "audience": "example@kernel.mongodb.com", "authNamePrefix": "okta-issuer", "matchPattern": "@mongodb.com$", "useAuthorizationClaim": "false", "JWKSPollSecs": 86400 } ]'
When you set useAuthorizationClaim
to false
, users who
authenticate with the MONGODB-OIDC
mechanism obtain their
authorization rights from a user document in $external
. The server
searches for a user document with an _id
matching the value of the
authNamePrefix/principalName
claim for every OIDC based authentication
attempt for a user of your identity provider.
Important
If this field is set to false
, do not include the authorizationClaim
field.