Fuat Ertunc

2 results

MongoDB Introduces Workload Identity Federation for Database Access

MongoDB Atlas customers run workloads (applications) inside AWS, Azure, and Google Cloud. Today, to enable these workloads to authenticate with MongoDB Atlas cluster—customers create and manage MongoDB Atlas database users using the natively supported SCRAM (password) and X.509 authentication mechanisms and configure them in their workloads. Customers have to manage the full identity lifecycle of these users in their applications, including frequently rotating secrets. To meet their evolving security and compliance requirements, our enterprise customers require database users to be managed within their existing identity providers or cloud providers of their choice. Workload Identity Federation will be in general availability later this month and allows management of MongoDB Atlas database users with Azure Managed Identities, Azure Service Principals, Google Service Accounts, or an OAuth2.0 compliant authorization service. This approach makes it easier for customers to manage, secure, and audit their MongoDB Atlas database users in their existing identity provider or a cloud provider of their choice and enables them to have "passwordless" access to their MongoDB Atlas databases. Along with Workload Identity Federation, Workforce Identity Federation , which was launched in public preview last year, will be generally available later this month. Workforce Identity Federation allows organizations to configure access to MongoDB clusters for their employees with single sign-on (SSO) using OpenID Connect. Both features complement each other and enable organizations to have complete control of database access for both application users and employees. Workload Identity Federation support will be available in Atlas Dedicated Clusters on MongoDB 7.0 and above, and is supported by Java, C#, Node, and Python drivers. Go driver support will be added soon. Quick steps to get started with Workload Identity Federation: Configure Atlas with your OAuth2.0 compatible workload identity provider such as Azure or Google Cloud. Configure Azure Service Principal or Google Cloud Service Accounts for the Azure or Google Cloud resource where your application runs. Add the configured Azure Service Principal or Google Cloud Service Account as Atlas database users with Federated authentication. Using Python or any supported driver inside your application, authenticate and authorize with your workload identity provider and Atlas clusters. To learn more about Workload Identity Federation, please refer to the documentation . And to learn more about how MongoDB’s robust operational and security controls protect your data, read more about our security features .

May 2, 2024

MongoDB Introduces Workforce Identity Federation with OpenID Connect Support for Database Access

The workforce within organizations including DBAs, analysts, and developers need to authenticate and authorize the database to perform their job functions. Organizations need to manage the identity life cycle of these workforce users and enforce appropriate requirements such as password complexity, credential rotation, MFA, and so on. MongoDB supports LDAPS and AWS-IAM as two primary mechanisms for workforce access. LDAPS predates the cloud and requires organizations to establish network connectivity between their LDAP Server and MongoDB Atlas deployments. Workforce users can use AWS-IAM to authenticate with MongoDB Atlas deployments, but this mechanism is limited to AWS. MongoDB Atlas now supports workforce identity federation with the Atlas deployments using OpenID Connect (OIDC). OpenID Connect is a modern and open authentication protocol built on the OAuth 2.0 framework . This protocol is agnostic to a cloud provider. Any identity provider such as Okta, Azure AD, or Ping Identity that supports OIDC can be configured in Atlas for workforce authentication and authorization to MongoDB Atlas deployments. To use this feature, organizations configure OpenID Connect once in the Atlas Federation Management application and apply it to all deployments across Atlas projects. They also define access rights for the users in the corresponding Atlas Projects and map them to the groups defined in their identity provider. Workforce identity federation with OpenID Connect provides the following benefits: User credentials are centrally managed within your existing Identity Provider. MongoDB Atlas deployments never see or store the long-living credentials of your users. Security policies such as password rotation, password complexity, and MFA are centrally managed by your identity provider. Complete control over user lifecycle management in your organization that needs to access Atlas deployments. Enforce policies to have a short span of an access token in order to minimize the risk of long-living database connections. OpenID Connect support is currently in preview starting with MongoDB Atlas 7.0, releasing later this summer. OpenID Connect support is currently in preview starting with MongoDB 7.0 . Atlas Data Federation support Now, with a single setup, customers will be able to access Atlas Data Federation through Shell and Compass using OpenID Connect authentication, enabling it for both dedicated clusters and Data Federation. Refer to the documentation for more details. Try it with the 7.0 RC in Atlas .

June 30, 2023