<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
OpenID Connect - MongoDB Compass Setup
Jan 19, 2026
API Access Management
Okta Classic Engine
Okta Identity Engine
Overview

This article documents the steps for setting up Okta with MongoDB Compass by using a Native OpenID Connect app.

Applies To
  • Okta Integrator Free Plan org
  • API Access Management
  • OpenID Connect
  • MongoDB Compass
Solution

NOTE:

  • API Access Management Product or access to a Custom Authorization Server, such as "default", is needed to complete these steps. If this setup is needed, reach out to the Account Executive before proceeding. 
  • An Okta Integrator Free Plan org is pre-configured with a custom authorization server named "default".

OKTA SIDE

  1. In the Admin Dashboard, select Applications > Applications in the sidebar.
  2. Click Create App Integration.
  3. Under Sign-in method, select OIDC - OpenID Connect.
  4. Under Application type, select Native Application.
    Create App Integration  
  5. Confirm creating the application by clicking Next.
  6. In the application creation screen:
    1. Name the application.
    2. In the Grant Type section, allow Authorization CodeRefresh Token, and Device Authorization.
      New Native App Integration  
    3. In the Sign-in redirect URIs section, allow the redirect URL http://localhost:27097/redirect.
    4. Delete sign-out redirect URIs.
    5. In the Controlled access section, choose Allow everyone in your organization to access.
    6. Check Enable immediate access with Federation Broker Mode.
      Checkbox for "Enable immediate access with Federation Broker Mode"  
    7. Click Save to complete the application.
  7. In the application configuration screen:
    1. Ensure Require PKCE as additional verification is checked (should be by default).
    2. Write down the Client ID value somewhere:
      Client ID  
  8. In the dashboard sidebar, go to Security > API.
    1. Click Add Authorization Server.
    2. Fill in any name.
    3. Copy the Client ID value from the previous step into the Audience field.
    4. Click Save.
      Add Authorization Server  
  9. In the Authorization Server configuration screen:
    1. Write down the first part of the URI listed under Metadata URI, before the .well-known part (without a trailing slash). This value is now called "Issuer URI".
      Test Authorization Server  
    2. Go to the Claims tab, click Add Claim.
      1. Name: groups
      2. Include in token type: Access Token
      3. Value type: Groups
      4. Filter: Matches regex, .*
      5. Disable claim: unchecked
      6. Include in: Any scope
        Add Claim  
    3. Click Create.
  10. Go to the Access Policies tab and click Add Policy.
    1. Name: Atlas OIDC AuthZ Policy.
    2. Description: Whatever is desired.
    3. Assign to: All clients.
    4. Click Create Policy.
      Add Policy  
  11. In the policy configuration, click Add Rule.
    1. Rule Name: Default Rule
    2. Client acting on behalf of itself: Client Credentials
    3. Client acting on behalf of a user: Authorization code, Implicit (hybrid), Resource Owner Password, SAML 2.0 Assertion, Device Authorization, Token exchange
      Rule configuration  
    4. And user is: Any user assigned the app
    5. And scopes requested: any scopes
    6. Then use this inline hook: None (disabled)
    7. And access token lifetime is: 1 hours
    8. And refresh token lifetime is: Unlimited
    9. But will expire if not used every: 7 days
    10. Create rule
      Create rule  
  12. Navigate to Directory > Groups.
    1. Add group.
    2. Name: Atlas OIDC.
    3. Description: as desired.
      Add group  
    4. Add users to this group as desired.
      Add users  

 

ATLAS SIDE

  • Navigate to FMC > Identity Providers > Set Up Identity Provider.
    1. Select OIDC for Data Access:
      1. Config details:
      2. Configuration Name: As desired.
      3. Configuration Description: As desired.
      4. Issuer URI: Value from Metadata URI from Okta Authorization Server.
      5. Client ID: Value from Okta App Settings.
      6. Audience: Value from Okta Authorization Server.
      7. Requested scopes: Do not put anything here.
      8. User claim: keep as "sub".
      9. Groups claim: keep as "groups".
      10. Save and Finish.
    2. Associate Domains: add a federated domain here:
      1. Click Connect Organizations.
        1. Select Configure Access on the desired org.
        2. Click Connect Identity Provider.
        3. Check the box for the IdP created in step 3 here.
        4. Click Connect.
      2. Go to the project where the MongoDB 7.0 cluster is deployed in the org selected above:
        1. Database Access > Add New Database User or Group.
        2. Select Federated Auth.
        3. Select Identity Provider: Select the IdP that was just created.
        4. Group Identifier: Type the group name created in Okta Directory.
        5. Give it a role.
        6. Add group.

Recommended content

Still looking for help?
Loading
OpenID Connect - MongoDB Compass Setup