Browser Single Sign-On

Neo4j Browser provides support for Single Sign-On (SSO) providers. This is an Enterprise feature and requires specific configuration and a (self-hosted) Neo4j Server v4.4 and later. Additionally, you need a compatible SSO provider (local or external) already configured. For more information on the configuration, see Operations Manual → OIDC configuration settings.

For deployments other than with self-hosted Neo4j Server v4.4+, SSO can be configured with a separate OAuth plugin which requires engagement from Professional Services. See https://neo4j.com/professional-services/ for more information about Professional Services.

Supported providers at this time include OpenID Connect (OIDC) OAuth 2.0 providers Google, Keycloak, Microsoft Azure AD, and Okta.

Browser supports two authorization flows:

  • Authorization Code flow with PKCE.

  • Implicit flow.

It is strongly advised to use PKCE to ensure security. Further information about OpenID Connect and OAuth can be found at https://openid.net/connect/.

Security information should always be exchanged with encrypted transport, and therefore HTTPS should be used. Mixed HTTP/HTTPS flows for single sign-on are not supported.

Once your SSO provider is configured, you need to configure Neo4j to use OpenID Connect. This is done by updating the neo4j.conf file according to the instructions in Operations Manual → Configure Neo4j to use OpenId Connect.

Make sure to avoid duplicate entries in the neo4j.conf file.

Browser needs to be aware of the identity providers available for use. When used with Neo4j v4.4+, this is specified the neo4j.conf file, as described above.

Deployments that use an earlier version of Neo4j require a separate OAuth plugin and assistance from Professional Services, as mentioned previously. However, in such cases, the identity providers can be specified by a URL parameter discoveryURL that defines a URL to a .json file containing the SSO providers.

Example for Browser:
https://<browser-server-host>:<http-port>?discoveryURL=https://webhost.com/public/discovery.json

For convenience, the sso_redirect=<idp_id> URL parameter can be used to automatically trigger the SSO flow without needing to click the "Login with SSO" button in the Browser UI.