Docs Menu

Docs HomeDevelop ApplicationsMongoDB Manual

Configure MongoDB with OpenID Connect

On this page

  • Before you Begin
  • Steps
  • Learn More

MongoDB Enterprise provides support for OpenID Connect Authentication. You can use OpenID Connect to configure single sign-on between your MongoDB database and a third-party identity provider.

  • Set up an OpenID Connect client profile with your chosen provider: Microsoft Azure AD or Okta.

  • When using mongosh to connect, if you use the oidcRedirectUri option, the URI must match the configuration of the identity provider.

  • Ensure that you are on MongoDB Enterprise.

    To verify that you are using MongoDB Enterprise, pass the --version command line option to the mongod or mongos:

    mongod --version

    In the output from this command, look for the string modules: subscription or modules: enterprise to confirm you are using the MongoDB Enterprise binaries.

1

To configure the MongoDB server, enable the MONGODB-OIDC authentication mechanism and use the oidcIdentityProviders to specify identity provider (IDP) configurations.

You can configure the MongoDB server using your configuration file or the command line.

2

In the admin database, use the db.createRole() method to create roles that map the identity provider group roles to MongoDB roles.

Use the following format to create roles:

<authNamePrefix>/<authorizationClaim>

The oidcIdentityProviders parameter provides the authNamePrefix field and the authorizationClaim field. For example:

db.createRole( {
role: "okta/Everyone",
privileges: [ ],
roles: [ "readWriteAnyDatabase" ]
} )
←  OpenID Connect AuthenticationInternal/Membership Authentication →