Details
-
Investigation
-
Resolution: Done
-
Major - P3
-
None
-
None
-
None
-
Not Needed
Description
For Cloud: Add support for OIDC authentication on Cloud and Ops Manager (see CLOUD-128564). Add support for OIDC configuration in Atlas (see CLOUD-128394).
For Drivers: Implement client-side support for the MONGODB-OIDC SASL mechanism across all drivers (see DRIVERS-2415). MONGODB-OIDC will work either as a single-step mechanism that simply passes a token into the server or a two-step protocol that uses the server's provided OIDC metadata to acquire a token and then propagate that in the second step.
For DBX: Implement support in the mongosh shell and Compass for authenticating to the server via MONGODB-OIDC (see MONGOSH-1271)
For Docs: Document OIDC workflows with a focus on single IDP configurations as described in the design document.
Description of Linked Ticket
Summary
Add OpenID Connect (OIDC) as authentication mechanism
Motivation
Several customers have asked if they can use single-sign on to login into Atlas clusters. Currently, the only mechanism available is AWS-IAM which they can then tie to their own identity provider. However, this mechanism is AWS-specific. Customers are looking for 1) their Atlas users to also login into the database without creating database specific credentials 2) provide native support for Azure and GCP IAM for the database. This project is a stepping stone towards achieving these goals.
Competition reference (CockroachDB): https://www.cockroachlabs.com/docs/v20.2/sso
Cast of Characters
- Product Owner: Fuat Ertunc
- Project Lead: Spencer Jackson
- Program Manager: Elizabeth Roytburd
- Drivers Contact: Steve Silvester
Documentation
Scope Document
Technical Design Document
Product Description
Docs Update