MongoDB Authentication Mechanisms

MongoDB Authentication Mechanisms

Authentication is the process of verifying the identity of a client. When access control (authorization) is enabled, MongoDB requires all clients to authenticate themselves to determine their access.

Although authentication and authorization are closely connected, authentication is distinct from authorization:

  • Authentication verifies the identity of a user
  • , and authorization determines the verified user's access to resources and operations.

MongoDB Atlas comes with built-in TLS and the latest authentication abilities, like SCRAM, X.509, AWS IAM, and LDAP integrations. It allows an easy UI or API setup.

To secure your deployments, you must apply at least one of the following mechanisms.

Each of these mechanisms has its benefits and use cases.

  • SCRAM (Default)
  • SCRAM, also known as Salted Challenge Response Authentication Mechanism, adheres to the best practices set out in RFC 5802, which defines standards for authenticating users with a challenge-response mechanism. It is commonly referred to as username/password authentication and can use SHA-1 or SHA-256 algorithms.

  • x.509 Certificate Authentication
  • MongoDB supports X.509 certificate authentication for use with a secure TLS connection. The X.509 certificate allows clients to authenticate servers with certificates rather than a username and password.

  • LDAP Proxy Authentication (Only for MongoDB Enterprise and Atlas)
  • MongoDB Enterprise supports federated SSO authentication of users. This allows administrators to configure a MongoDB cluster to authenticate users by proxying authentication requests to a specified LDAP service.

  • Kerberos Authentication (Only for MongoDB Enterprise)
  • MongoDB Enterprise supports authentication using a Kerberos service. Kerberos is an IETF (RFC 4120) standard authentication protocol for large client/server systems.