Single sign-on integration
Neo4j supports OpenID Connect (OIDC), which allows for integration with many identity providers including Okta, Microsoft Entra ID, and Google. This integration permits federated users, managed by the identity provider, to access Neo4j instead of, or in addition to the native users and roles. For examples with different providers and troubleshooting, see the SSO configuration tutorial.
OIDC configuration settings
Neo4j supports multiple OIDC identity providers at the same time, as such each provider configuration must be assigned a prefix to differentiate it from others.
In the configuration examples below the provider-specific prefix is represented by <provider>, which should be replaced with a name representing your provider.
For example, if you are using Okta as your identity provider you might use okta in the place of <provider> below.
The following configuration settings are important to consider when configuring single sign-on. For a more detailed overview of the single sign-on configuration options, see Configuration settings. Some of these settings can also be updated while the database is running, see Dynamic settings for more information on how to do this. Altering any of these settings causes users to re-authenticate as their permissions may have changed as a result.
| Parameter name | Default value | Dynamic | Description |
|---|---|---|---|
false |
The display name for the provider. This is displayed in clients such as Neo4j Browser and Bloom. |
||
pkce |
true |
The OIDC auth_flow for clients such as Neo4j Browser and Bloom to use.
Supported values are |
|
true |
The OpenID Connect Discovery URL for the provider. |
||
true |
URL of the provider’s Authorization Endpoint. |
||
true |
Optional parameters that clients may require with the Authorization Endpoint. The map is a semicolon-separated list of key-value pairs. For example: k1=v1;k2=v2. |
||
true |
URL of the provider’s OAuth 2.0 Token Endpoint. |
||
true |
Option parameters that clients may require with the Token Endpoint. The map is a semicolon-separated list of key-value pairs. For example: k1=v1;k2=v2. |
||
true |
URL of the provider’s JSON Web Key Set. |
||
true |
URL of the provider’s UserInfo Endpoint. |
||
true |
URL that the provider asserts as its issuer identifier.
This will be checked against the |
||
true |
The expected value for the |
||
true |
Option parameters that clients may require. The map is a semicolon-separated list of key-value pairs. For example: k1=v1;k2=v2. |
||
true |
Option additional configuration that clients may require. The map is a semicolon-separated list of key-value pairs. For example: k1=v1;k2=v2. |
||
false |
true |
Whether to fetch the groups claim from the user info endpoint on the identity provider.
The default is |
|
false |
true |
Whether to fetch the username claim from the user info endpoint on the identity provider.
The default is |
|
sub |
true |
The claim to use for the database username. Neo4j expects to find a string claim in the JWT or user_info response with this name. |
|
true |
The claim to use for the database roles. Neo4j expects to find a claim in the JWT or user_info response with this name. The claim may be a string claim representing a single role or a string array claim representing multiple roles. From Neo4j 5.4, the JWT claim may also contain a single group returned as a string as well as a list of groups as was previously required. |
||
dbms.security.oidc.<provider>.authorization.group_to_role_mapping |
true |
List an authorization mapping from groups to the pre-defined built-in roles |
|
false |
false |
When set to |
Configure Neo4j to use OpenID Connect
First, you configure Neo4j to use OpenID Connect as an authentication and authorization provider in the neo4j.conf file.
-
Make sure security is turned on. The default value for
dbms.security.auth_enabledistrue. -
Uncomment the settings
dbms.security.authentication_providersanddbms.security.authorization_providersand change their value tooidc-<provider>, where<provider>maps to the provider name used in the configuration settings. This way, the OIDC connector is used as a security provider for both authentication and authorization. If you want, you can still use thenativeprovider for mixed-mode authentication and authorization. The values are comma-separated and queried in the declared order.Example 1. Configure Neo4j to use two OpenID Connect and the native authentication and authorization providers.dbms.security.authentication_providers=oidc-newsso,oidc-oldsso,native dbms.security.authorization_providers=oidc-newsso,oidc-oldsso,native -
Check connectivity. Neo4j needs to connect to the identity provider to discover settings and fetch public keys to verify tokens. Check firewall settings and security controls, and, if necessary, logs to ensure that the Neo4j server is able to connect to the identity provider using HTTPS. If a proxy is required, this can be configured in the Java virtual machine using the configuration setting server.jvm.additional. Proxies that require credentials are not supported.
Map the identity provider groups to the Neo4j roles
Before identity provider managed groups can be used with Neo4j, you have to decide on an approach for mapping identity provider groups to Neo4j roles.
The simplest approach is to create identity provider groups with the same names as Neo4j roles.
If you decide to go this way, no mapping configuration is necessary.
Assuming, however, that identity provider groups do not directly map 1:1 to the desired Neo4j roles, it is necessary to map the identity provider groups to the Neo4j built-in and custom-defined roles.
To do that, you need to know what privileges the Neo4j roles have, and based on these privileges, create the mapping to the groups defined in the identity provider.
The map must be formatted as a semicolon-separated list of key-value pairs, where the key is the identity provider group name and the value is a comma-separated list of the corresponding role names.
For example, group1=role1;group2=role2;group3=role3,role4,role5;group4=role6;group5=role6.
dbms.security.oidc.mysso.authorization.group_to_role_mapping=\
neo4j_readonly = reader; \ (1)
neo4j_rw = editor,publisher; \ (2)
neo4j_rw = publisher; \ (3)
neo4j_create = publisher; \
neo4j_dba = admin; \
neo4j_exec = rolename (4)| 1 | Mapping of an identity provider group to a Neo4j built-in role. |
| 2 | Mapping of an identity provider group to two Neo4j built-in roles. |
| 3 | Mapping of two identity provider groups to a Neo4j built-in role. |
| 4 | Mapping of an identity provider group to a custom-defined role.
Custom-defined roles, such as rolename, must be explicitly created using the CREATE ROLE rolename command before they can be used to grant privileges.
See Manage roles. |
Configure Neo4j to use an OpenID Connect identity provider
This option allows users to log in through an OIDC compliant identity provider by offering a token from the provider instead of a username and password.
Typically, these tokens take the form of a signed JSON Web Token (JWT).
The following configuration examples use mysso as the provider’s name.
It is recommended to use a name describing the provider that is being integrated.
OpenID Connect using JWT claims
In this configuration, Neo4j receives a JWT from the identity provider containing claims representing the database username (e.g. email), and the Neo4j roles.
-
Set a display name.
In the neo4j.conf file, uncomment and configure the following settings:
dbms.security.oidc.mysso.display_name=SSO ProviderThis is displayed on a button on the login page of clients, such as Neo4j Browser and Bloom so that you can identify the provider you are using to login.
-
Configure discovery.
Uncomment and configure the following settings:
dbms.security.oidc.mysso.well_known_discovery_uri=https://my-idp.example.com/.well-known/openid-configurationThe
well_known_discoveryendpoint of the identity provider supplies the OpenID provider metadata to allow Neo4j to interact with that provider. It is also possible to configure the provider settings manually:dbms.security.oidc.mysso.auth_endpoint=https://my-idp.example.com/openid-connect/auth dbms.security.oidc.mysso.token_endpoint=https://my-idp.example.com/openid-connect/token dbms.security.oidc.mysso.jwks_uri=https://my-idp.example.com/openid-connect/certs dbms.security.oidc.mysso.user_info_uri=https://my-idp.example.com/openid-connect/userinfo dbms.security.oidc.mysso.issuer=abcd1234Manual settings always take priority over those retrieved from the discovery endpoint.
-
Configure audience.
Provide the expected value for the audience(
aud) claim:dbms.security.oidc.mysso.claims.audience=myaudience -
Configure claims.
Provide the name of the claims that map to the database username and roles.
usernameis expected to be a string claim, androlesis expected to be a list of strings representing a set of roles or a single string representing a single role:dbms.security.oidc.mysso.claims.username=sub dbms.security.oidc.mysso.claims.groups=roles -
Optionally, map the groups in the OIDC groups claim to the Neo4j built-in and custom roles.
OpenID Connect fetching claims from a provider
In this configuration, Neo4j receives a token from the identity provider and uses that token to call back to the identity provider using its UserInfo endpoint to retrieve claims for the database username and Neo4j roles.
-
Configure Neo4j for OpenID Connect Using JWT Claims.
-
Configure the claims to fetch from the UserInfo endpoint:
dbms.security.oidc.mysso.get_username_from_user_info=true dbms.security.oidc.mysso.get_groups_from_user_info=trueIt is possible to fetch just the username, just the groups, or both from the userinfo endpoint.
Configure SSO at the user level using auth providers
User auth providers can be used to determine which users can authenticate and authorize using the configured providers.
You must change the dbms.security.require_local_user configuration setting to true to use auth providers.
This means that a user with a matching auth provider must exist in order to be able to authenticate and authorize.
This applies to all providers.
Conversely, when dbms.security.require_local_user is set to false, users' auth providers have no bearing on the way that they are authenticated and authorized, instead authentication and authorization is controlled centrally (for all users) by the database configuration.
The following examples show how to configure users with auth provider using Cypher.
myssoCREATE USER jake
SET AUTH 'oidc-mysso' {SET ID 'jakesUniqueMySsoId'} // the id must match the claim that you configured via dbms.security.oidc.mysso.claims.usernameThe command creates the user jake who can authenticate and authorize using mysso provided they present a valid token with a sub claim of jakesUniqueMySsoId.
The claim used for authentication is determined by the dbms.security.oidc.mysso.claims.username config setting (the default is the sub claim).
CREATE USER jake
SET HOME DATABASE anotherDb
SET AUTH 'oidc-mysso1' {SET ID 'jakesUniqueMySso1Id'} // `jakesUniqueMySso1Id` must match the value of the claim that you configured via dbms.security.oidc.mysso1.claims.username
SET AUTH 'oidc-mysso2' {SET ID 'jakesUniqueMySso2Id'} // `jakesUniqueMySso2Id` must match the value of the claim that you configured via dbms.security.oidc.mysso2.claims.usernameThe command creates the user jake who can authenticate and authorize using mysso1 or mysso2.
The example also illustrates that the user can have their home database set even when using only external auth providers.
ALTER USER jake
REMOVE AUTH 'oidc-mysso2'The command prevents the user jake from being able to authenticate and authorize with the mysso2 provider.
ALTER USER jake
SET AUTH 'native' {SET PASSWORD 'changeme' SET PASSWORD CHANGE REQUIRED}The command allows the user jake to authenticate and authorize using the specified username and password (in addition to what they are already configured to use).
mysso and authorization via the native provider-
Set the following database config:
dbms.security.authentication_providers=oidc-mysso dbms.security.authorization_providers=native -
Create a user with a
myssoauth provider:CREATE USER jake SET AUTH 'oidc-mysso' {SET ID 'jakesUniqueMySsoId'} // `jakesUniqueMySsoId` must match the value of the claim that you configured via dbms.security.oidc.mysso.claims.username -
Natively grant the
READERrole to the user:GRANT ROLE READER TO jakeThe command allows the user
jaketo authenticate usingmyssoand receive theREADERrole from thenativeprovider. -
You can also give the user the union of roles from
myssoandnativeby settingmyssoas an authorization provider too:dbms.security.authentication_providers=oidc-mysso dbms.security.authorization_providers=native,oidc-mysso
ALTER USER jake
SET STATUS SUSPENDEDThe command completely prevents the user from being able to authenticate/authorize by any means.
Use a self-signed certificate (SSL) in a test environment
Production environments should always use an SSL certificate issued by a Certificate Authority for secure access to the identity provider. However, there are scenarios, for example in test environments, where you may want to use a self-signed SSL certificate on the identity provider server.
To configure a self-signed SSL certificate used on an identity provider server, enter the details of a Java keystore containing the relevant certificates using server.jvm.additional in neo4j.conf.
The path to the certificate file MyCert.jks is an absolute path to the Neo4j server.
server.jvm.additional=-Djavax.net.ssl.keyStore=/path/to/MyCert.jks
server.jvm.additional=-Djavax.net.ssl.keyStorePassword=mypasword
server.jvm.additional=-Djavax.net.ssl.trustStore=/path/to/MyCert.jks
server.jvm.additional=-Djavax.net.ssl.trustStorePassword=mypaswordDebug logging of JWT claims
While setting up an OIDC integration, it is sometimes necessary to perform troubleshooting.
In these cases, it can be useful to view the claims contained in the JWT supplied by the identity provider.
To enable the logging of these claims at DEBUG level in the security log, set dbms.security.logs.oidc.jwt_claims_at_debug_level_enabled to be true and the security log level to DEBUG.
|
Make sure to set dbms.security.logs.oidc.jwt_claims_at_debug_level_enabled back to |