MongoDB Introduces Workforce Identity Federation with OpenID Connect Support for Database Access

Pramod Borkar and Fuat Ertunc

Update June 5, 2024: Workforce Identity Federation is now GA. Head to our docs page to learn more.

The workforce within organizations including DBAs, analysts, and developers need to authenticate and authorize the database to perform their job functions. Organizations need to manage the identity life cycle of these workforce users and enforce appropriate requirements such as password complexity, credential rotation, MFA, and so on.

MongoDB supports LDAPS and AWS-IAM as two primary mechanisms for workforce access. LDAPS predates the cloud and requires organizations to establish network connectivity between their LDAP Server and MongoDB Atlas deployments. Workforce users can use AWS-IAM to authenticate with MongoDB Atlas deployments, but this mechanism is limited to AWS.

MongoDB Atlas now supports workforce identity federation with the Atlas deployments using OpenID Connect (OIDC). OpenID Connect is a modern and open authentication protocol built on the OAuth 2.0 framework. This protocol is agnostic to a cloud provider. Any identity provider such as Okta, Azure AD, or Ping Identity that supports OIDC can be configured in Atlas for workforce authentication and authorization to MongoDB Atlas deployments.

To use this feature, organizations configure OpenID Connect once in the Atlas Federation Management application and apply it to all deployments across Atlas projects. They also define access rights for the users in the corresponding Atlas Projects and map them to the groups defined in their identity provider.

Workforce identity federation with OpenID Connect provides the following benefits:

  • User credentials are centrally managed within your existing Identity Provider. MongoDB Atlas deployments never see or store the long-living credentials of your users.

  • Security policies such as password rotation, password complexity, and MFA are centrally managed by your identity provider.

  • Complete control over user lifecycle management in your organization that needs to access Atlas deployments.

  • Enforce policies to have a short span of an access token in order to minimize the risk of long-living database connections.

OpenID Connect support is currently in preview starting with MongoDB Atlas 7.0, releasing later this summer.

OpenID Connect support is currently in preview starting with MongoDB 7.0.

Atlas Data Federation support

Now, with a single setup, customers will be able to access Atlas Data Federation through Shell and Compass using OpenID Connect authentication, enabling it for both dedicated clusters and Data Federation.

Refer to the documentation for more details. Try it with the 7.0 RC in Atlas.