- Security >
- Enable Authentication for a Cloud Manager Project >
- Enable OIDC Authentication for your Cloud Manager Project
Enable OIDC Authentication for your Cloud Manager Project¶
On this page
Cloud Manager enables you to configure the Authentication Mechanisms that all clients, including the Cloud Manager Agents, use to connect to your MongoDB deployments. You can enable multiple authentication mechanisms for each of your projects, but you must choose only one mechanism for the Agents.
MongoDB Enterprise allows authentication using OIDC. To authenticate with OIDC, you must first register your OIDC or OAuth application with an IdP that supports OIDC standard, such as as Azure AD, Okta, and Ping Identity.
OIDC application registration steps can vary based on your IdP. Ensure that you complete the following items during your registration process:
Register a new application for MongoDB Atlas.¶
Make sure to select public client/native application as the client type.
Set the Redirect URL value to http://localhost:27097/redirect
.¶
Add or enable groups claim.¶
This assures that your access tokens contain the group membership information of the user authenticating. MongoDB uses the values sent in groups claim for authorization.
Optional: Allow refresh tokens if you want MongoDB clients to refresh the tokens for a better user experience.¶
Optional: Configure access token lifetime (exp
claim) to align with your database connection session time.¶
Once you register your application, save the issuer
,
clientId
and audience
values to use in the next stage of the
OIDC IdP configuration.
Prerequisites¶
To enable OIDC authentication, you must:
Use
mongosh
1.9.1 or later.Use MongoDB 7.0 or later.
Configure at least one other authentication mechanism with MongoDB Agent.
Note
The MongoDB Agent cannot connect to your cluster via OIDC. You must enable an additional auth mechanism for the MongoDB Agent. If Cloud Manager doesn’t manage Monitoring or Backup, you must manually configure them to use the alternative authentication mechanism.
Procedures¶
Note
If you want to reset Authentication and TLS settings for your project, first unmanage any MongoDB deployments that Cloud Manager manages in your project.
Configure OIDC Authentication¶
Optional: Specify the TLS Settings.¶
Field | Action | ||||
---|---|---|---|---|---|
MongoDB Deployment Transport Layer Security (TLS) | Toggle this slider to ON. | ||||
TLS CA File Path | The TLS Certificate Authority file is a Note The encrypted private key for the Type the file path to the TLS Certificate Authority file on every host running a MongoDB process:
This enables the Click Validate to test that each host in your deployment has a TLS Certificate Authority at the paths you specified. |
||||
Client Certificate Mode | Select if client applications or MongoDB Agents must present a TLS certificate when connecting to a TLS-enabled MongoDB deployments. Each MongoDB deployment checks for certificates from these client hosts when they try to connect. If you choose to require the client TLS certificates, make sure they are valid. Accepted values are:
|
TLS is not required for use with Federated Auth (OIDC) authentication.
Choose the authentication mechanism.¶
In the MongoDB Deployment Authentication Mechanism section, select Federated Auth (OIDC).
Configure the OIDC Authorization Settings.¶
Provide the following values:
Setting | Necessity | Value |
---|---|---|
Audience | Required | Specify who your OIDC provider intends the token for. |
Issuer URI | Required | Issuer value provided by your registered IdP application.
Using this URI, MongoDB finds an OpenID Provider Configuration
Document, which should be available in the
/.wellknown/open-id-configuration endpoint. |
Client ID | Required | Unique identifier for your registered application. Enter
the clientId value from the app you registered
with OIDC IdP. |
Requested Scopes | Optional | Tokens that give users permission to request data from the authorization endpoint. For each additional scope you want to add, click Add more scopes. |
User Claim | Optional | The identifier of the claim that includes the user principal identity. Accept the default value unless your IdP uses a different claim. Default: |
Groups Claim | Optional | The identifier of the claim that includes the principal’s IdP user group membership information. Accept the default value unless your IdP uses a different claim, or you need a custom claim. Default: |
Click Save Settings.¶
Click Review & Deploy to review your changes.¶
Click Confirm & Deploy to deploy your changes.¶
Otherwise, click Cancel and you can make additional changes.
Configure OIDC Authorization¶
MongoDB does not explicitly create database users for OIDC. It maps OIDC users to MongoDB roles based on their groups.
To create a database role for an OIDC group:
Click Add New Role.¶
Create the OIDC role.¶
Enter the following fields:
Field Necessity Description Identifier Required In the database box, enter
admin
.In the name box, enter your
projectId
and group name from your IdP separated by a slash/
:Inherits From Optional A list of role name and database pairs. The format for these pairs are roleName@dbName
.Authentication Restrictions Optional A list of IP addresses or CIDR notations that you want to restrict from your IdP. Click Add Role.
Revoke JWKS¶
Note
Don’t use this feature to rotate your signing keys. When you rotate your OIDC IdP signing keys, MongoDB fetches the JWKS automatically upon expiration of the existing access tokens.
If your private key is compromised, you can immediately revoke your JSON Web Key Sets (JWKS) cached in MongoDB nodes:
Navigate to the Security Settings dialog for your deployment.¶
- If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
- If it is not already displayed, select your desired project from the Projects menu in the navigation bar.
- If it is not already displayed, click Deployment in the sidebar.
- Click the Security tab.
- Click the Settings tab.
Revoke your JWKS token.¶
Scroll to the OIDC Connection and Authorization (Required for OIDC) section.
Click the REVOKE JWKS button.
Note
This button is idle if there is no IdP configured.
In the Revoke JWKS tokens? modal, click Revoke.