Docs Menu
Docs Home
/
MongoDB Manual
/ / / /

Configure Self-Managed MongoDB with OpenID Connect

On this page

  • Before you Begin
  • Steps
  • Learn More

MongoDB Enterprise provides support for OpenID Connect Authentication. You can use OpenID Connect to configure single sign-on between your MongoDB database and a third-party identity provider.

  • Set up an OpenID Connect client profile with your chosen provider: Microsoft Azure AD or Okta.

  • When using mongosh to connect, if you use the oidcRedirectUri option, the URI must match the configuration of the identity provider.

  • Ensure that you are on MongoDB Enterprise.

    To verify that you are using MongoDB Enterprise, pass the --version command line option to the mongod or mongos:

    mongod --version

    In the output from this command, look for the string modules: subscription or modules: enterprise to confirm you are using the MongoDB Enterprise binaries.

1

To configure the MongoDB server, enable the MONGODB-OIDC authentication mechanism and use the oidcIdentityProviders to specify identity provider (IDP) configurations.

You can configure the MongoDB server using your configuration file or the command line.

To configure using your configuration file, specify two parameters in the file:

setParameter:
authenticationMechanisms: MONGODB-OIDC
oidcIdentityProviders: [ {"issuer": "https://...", ...} ]

To configure using the command line, specify the following:

mongod --auth --setParameter authenticationMechanisms=MONGODB-OIDC --setParameter \
'oidcIdentityProviders=[ {"issuer": "https://...", ...} ]'
2

In the admin database, use the db.createRole() method to create roles that map the identity provider group roles to MongoDB roles.

Use the following format to create roles:

<authNamePrefix>/<authorizationClaim>

The oidcIdentityProviders parameter provides the authNamePrefix field and the authorizationClaim field. For example:

db.createRole( {
role: "okta/Everyone",
privileges: [ ],
roles: [ "readWriteAnyDatabase" ]
} )

Back

OpenID Connect