Single sign-on integration

Neo4j supports OpenID Connect (OIDC), which allows for integration with many identity providers including Okta, Microsoft Entra ID, and Google. This integration permits federated users, managed by the identity provider, to access Neo4j instead of, or in addition to the native users and roles. For examples with different providers and troubleshooting, see the SSO configuration tutorial.

OIDC configuration settings

Neo4j supports multiple OIDC identity providers at the same time, as such each provider configuration must be assigned a prefix to differentiate it from others. In the configuration examples below the provider-specific prefix is represented by <provider>, which should be replaced with a name representing your provider. For example, if you are using Okta as your identity provider you might use okta in the place of <provider> below.

The following configuration settings are important to consider when configuring single sign-on. For a more detailed overview of the single sign-on configuration options, see Configuration settings. Some of these settings can also be updated while the database is running, see Dynamic settings for more information on how to do this. Altering any of these settings causes users to re-authenticate as their permissions may have changed as a result.

Parameter name Default value Dynamic Description

dbms.security.oidc.<provider>.display_name

false

The display name for the provider. This is displayed in clients such as Neo4j Browser and Bloom.

dbms.security.oidc.<provider>.auth_flow

pkce

true

The OIDC auth_flow for clients such as Neo4j Browser and Bloom to use. Supported values are pkce and implicit.

dbms.security.oidc.<provider>.well_known_discovery_uri

true

The OpenID Connect Discovery URL for the provider.

dbms.security.oidc.<provider>.auth_endpoint

true

URL of the provider’s Authorization Endpoint.

dbms.security.oidc.<provider>.auth_params

true

Optional parameters that clients may require with the Authorization Endpoint. The map is a semicolon-separated list of key-value pairs. For example: k1=v1;k2=v2.

dbms.security.oidc.<provider>.token_endpoint

true

URL of the provider’s OAuth 2.0 Token Endpoint.

dbms.security.oidc.<provider>.token_params

true

Option parameters that clients may require with the Token Endpoint. The map is a semicolon-separated list of key-value pairs. For example: k1=v1;k2=v2.

dbms.security.oidc.<provider>.jwks_uri

true

URL of the provider’s JSON Web Key Set.

dbms.security.oidc.<provider>.user_info_uri

true

URL of the provider’s UserInfo Endpoint.

dbms.security.oidc.<provider>.issuer

true

URL that the provider asserts as its issuer identifier. This will be checked against the iss claim in the token.

dbms.security.oidc.<provider>.audience

true

The expected value for the aud claim.

dbms.security.oidc.<provider>.params

true

Option parameters that clients may require. The map is a semicolon-separated list of key-value pairs. For example: k1=v1;k2=v2.

dbms.security.oidc.<provider>.config

true

Option additional configuration that clients may require. The map is a semicolon-separated list of key-value pairs. For example: k1=v1;k2=v2.

dbms.security.oidc.<provider>.get_groups_from_user_info

false

true

Whether to fetch the groups claim from the user info endpoint on the identity provider. The default is false, to read the claim from the token.

dbms.security.oidc.<provider>.get_username_from_user_info

false

true

Whether to fetch the username claim from the user info endpoint on the identity provider. The default is false, to read the claim from the token.

dbms.security.oidc.<provider>.claims.username

sub

true

The claim to use for the database username. Neo4j expects to find a string claim in the JWT or user_info response with this name.

dbms.security.oidc.<provider>.claims.groups

true

The claim to use for the database roles. Neo4j expects to find a claim in the JWT or user_info response with this name. The claim may be a string claim representing a single role or a string array claim representing multiple roles. From Neo4j 5.4, the JWT claim may also contain a single group returned as a string as well as a list of groups as was previously required.

dbms.security.oidc.<provider>.authorization.group_to_role_mapping

true

List an authorization mapping from groups to the pre-defined built-in roles admin, architect, publisher, editor, and reader, or to any custom-defined roles.

dbms.security.logs.oidc.jwt_claims_at_debug_level_enabled

false

false

When set to true, it logs the claims from the JWT into the security log (provided the security log level is also set to DEBUG).

Configure Neo4j to use OpenID Connect

First, you configure Neo4j to use OpenID Connect as an authentication and authorization provider in the neo4j.conf file.

  1. Make sure security is turned on. The default value for dbms.security.auth_enabled is true.

  2. Uncomment the settings dbms.security.authentication_providers and dbms.security.authorization_providers and change their value to oidc-<provider>, where <provider> maps to the provider name used in the configuration settings. This way, the OIDC connector is used as a security provider for both authentication and authorization. If you want, you can still use the native provider for mixed-mode authentication and authorization. The values are comma-separated and queried in the declared order.

    Example 1. Configure Neo4j to use two OpenID Connect and the native authentication and authorization providers.
    dbms.security.authentication_providers=oidc-newsso,oidc-oldsso,native
    dbms.security.authorization_providers=oidc-newsso,oidc-oldsso,native
  3. Check connectivity. Neo4j needs to connect to the identity provider to discover settings and fetch public keys to verify tokens. Check firewall settings and security controls, and, if necessary, logs to ensure that the Neo4j server is able to connect to the identity provider using HTTPS. If a proxy is required, this can be configured in the Java virtual machine using the configuration setting server.jvm.additional. Proxies that require credentials are not supported.

Map the identity provider groups to the Neo4j roles

Before identity provider managed groups can be used with Neo4j, you have to decide on an approach for mapping identity provider groups to Neo4j roles. The simplest approach is to create identity provider groups with the same names as Neo4j roles. If you decide to go this way, no mapping configuration is necessary. Assuming, however, that identity provider groups do not directly map 1:1 to the desired Neo4j roles, it is necessary to map the identity provider groups to the Neo4j built-in and custom-defined roles. To do that, you need to know what privileges the Neo4j roles have, and based on these privileges, create the mapping to the groups defined in the identity provider. The map must be formatted as a semicolon-separated list of key-value pairs, where the key is the identity provider group name and the value is a comma-separated list of the corresponding role names. For example, group1=role1;group2=role2;group3=role3,role4,role5;group4=role6;group5=role6.

Example 2. Example of identity provider groups to Neo4j roles mapping
dbms.security.oidc.mysso.authorization.group_to_role_mapping=\
    neo4j_readonly  = reader;    \ (1)
    neo4j_rw        = editor,publisher; \ (2)
    neo4j_rw        = publisher; \ (3)
    neo4j_create    = publisher; \
    neo4j_dba       = admin; \
    neo4j_exec      = rolename (4)
1 Mapping of an identity provider group to a Neo4j built-in role.
2 Mapping of an identity provider group to two Neo4j built-in roles.
3 Mapping of two identity provider groups to a Neo4j built-in role.
4 Mapping of an identity provider group to a custom-defined role. Custom-defined roles, such as rolename, must be explicitly created using the CREATE ROLE rolename command before they can be used to grant privileges. See Manage roles.

Configure Neo4j to use an OpenID Connect identity provider

This option allows users to log in through an OIDC compliant identity provider by offering a token from the provider instead of a username and password. Typically, these tokens take the form of a signed JSON Web Token (JWT). The following configuration examples use mysso as the provider’s name. It is recommended to use a name describing the provider that is being integrated.

OpenID Connect using JWT claims

In this configuration, Neo4j receives a JWT from the identity provider containing claims representing the database username (e.g. email), and the Neo4j roles.

  1. Set a display name.

    In the neo4j.conf file, uncomment and configure the following settings:

    dbms.security.oidc.mysso.display_name=SSO Provider

    This is displayed on a button on the login page of clients, such as Neo4j Browser and Bloom so that you can identify the provider you are using to login.

  2. Configure discovery.

    Uncomment and configure the following settings:

    dbms.security.oidc.mysso.well_known_discovery_uri=https://my-idp.example.com/.well-known/openid-configuration

    The well_known_discovery endpoint of the identity provider supplies the OpenID provider metadata to allow Neo4j to interact with that provider. It is also possible to configure the provider settings manually:

    dbms.security.oidc.mysso.auth_endpoint=https://my-idp.example.com/openid-connect/auth
    dbms.security.oidc.mysso.token_endpoint=https://my-idp.example.com/openid-connect/token
    dbms.security.oidc.mysso.jwks_uri=https://my-idp.example.com/openid-connect/certs
    dbms.security.oidc.mysso.user_info_uri=https://my-idp.example.com/openid-connect/userinfo
    dbms.security.oidc.mysso.issuer=abcd1234

    Manual settings always take priority over those retrieved from the discovery endpoint.

  3. Configure audience.

    Provide the expected value for the audience(aud) claim:

    dbms.security.oidc.mysso.claims.audience=myaudience
  4. Configure claims.

    Provide the name of the claims that map to the database username and roles. username is expected to be a string claim, and roles is expected to be a list of strings representing a set of roles or a single string representing a single role:

    dbms.security.oidc.mysso.claims.username=sub
    dbms.security.oidc.mysso.claims.groups=roles
  5. Optionally, map the groups in the OIDC groups claim to the Neo4j built-in and custom roles.

OpenID Connect fetching claims from a provider

In this configuration, Neo4j receives a token from the identity provider and uses that token to call back to the identity provider using its UserInfo endpoint to retrieve claims for the database username and Neo4j roles.

  1. Configure Neo4j for OpenID Connect Using JWT Claims.

  2. Configure the claims to fetch from the UserInfo endpoint:

    dbms.security.oidc.mysso.get_username_from_user_info=true
    dbms.security.oidc.mysso.get_groups_from_user_info=true

    It is possible to fetch just the username, just the groups, or both from the userinfo endpoint.

Configure SSO at the user level using auth providers

User auth providers can be used to determine which users can authenticate and authorize using the configured providers.

You must change the dbms.security.require_local_user configuration setting to true to use auth providers. This means that a user with a matching auth provider must exist in order to be able to authenticate and authorize. This applies to all providers.

Conversely, when dbms.security.require_local_user is set to false, users' auth providers have no bearing on the way that they are authenticated and authorized, instead authentication and authorization is controlled centrally (for all users) by the database configuration.

The following examples show how to configure users with auth provider using Cypher.

Example 3. Create a user with an auth provider who can authenticate and authorize using mysso
CREATE USER jake
SET AUTH 'oidc-mysso' {SET ID 'jakesUniqueMySsoId'} // the id must match the claim that you configured via dbms.security.oidc.mysso.claims.username

The command creates the user jake who can authenticate and authorize using mysso provided they present a valid token with a sub claim of jakesUniqueMySsoId. The claim used for authentication is determined by the dbms.security.oidc.mysso.claims.username config setting (the default is the sub claim).

Example 4. Create a user with two auth providers allowing the user to authenticate and authorize with one of them
CREATE USER jake
SET HOME DATABASE anotherDb
SET AUTH 'oidc-mysso1' {SET ID 'jakesUniqueMySso1Id'} // `jakesUniqueMySso1Id` must match the value of the claim that you configured via dbms.security.oidc.mysso1.claims.username
SET AUTH 'oidc-mysso2' {SET ID 'jakesUniqueMySso2Id'} // `jakesUniqueMySso2Id` must match the value of the claim that you configured via dbms.security.oidc.mysso2.claims.username

The command creates the user jake who can authenticate and authorize using mysso1 or mysso2. The example also illustrates that the user can have their home database set even when using only external auth providers.

Example 5. Alter a user to remove one of their auth providers
ALTER USER jake
REMOVE AUTH 'oidc-mysso2'

The command prevents the user jake from being able to authenticate and authorize with the mysso2 provider.

Example 6. Alter a user to allow them to authenticate and authorize using username and password
ALTER USER jake
SET AUTH 'native' {SET PASSWORD 'changeme' SET PASSWORD CHANGE REQUIRED}

The command allows the user jake to authenticate and authorize using the specified username and password (in addition to what they are already configured to use).

Example 7. Configure the database to allow authentication via mysso and authorization via the native provider
  1. Set the following database config:

    dbms.security.authentication_providers=oidc-mysso
    dbms.security.authorization_providers=native
  2. Create a user with a mysso auth provider:

    CREATE USER jake
    SET AUTH 'oidc-mysso' {SET ID 'jakesUniqueMySsoId'} // `jakesUniqueMySsoId` must match the value of the claim that you configured via dbms.security.oidc.mysso.claims.username
  3. Natively grant the READER role to the user:

    GRANT ROLE READER TO jake

    The command allows the user jake to authenticate using mysso and receive the READER role from the native provider.

  4. You can also give the user the union of roles from mysso and native by setting mysso as an authorization provider too:

    dbms.security.authentication_providers=oidc-mysso
    dbms.security.authorization_providers=native,oidc-mysso
Example 8. Suspend a user
ALTER USER jake
SET STATUS SUSPENDED

The command completely prevents the user from being able to authenticate/authorize by any means.

Use a self-signed certificate (SSL) in a test environment

Production environments should always use an SSL certificate issued by a Certificate Authority for secure access to the identity provider. However, there are scenarios, for example in test environments, where you may want to use a self-signed SSL certificate on the identity provider server.

To configure a self-signed SSL certificate used on an identity provider server, enter the details of a Java keystore containing the relevant certificates using server.jvm.additional in neo4j.conf. The path to the certificate file MyCert.jks is an absolute path to the Neo4j server.

server.jvm.additional=-Djavax.net.ssl.keyStore=/path/to/MyCert.jks
server.jvm.additional=-Djavax.net.ssl.keyStorePassword=mypasword
server.jvm.additional=-Djavax.net.ssl.trustStore=/path/to/MyCert.jks
server.jvm.additional=-Djavax.net.ssl.trustStorePassword=mypasword

Debug logging of JWT claims

While setting up an OIDC integration, it is sometimes necessary to perform troubleshooting. In these cases, it can be useful to view the claims contained in the JWT supplied by the identity provider. To enable the logging of these claims at DEBUG level in the security log, set dbms.security.logs.oidc.jwt_claims_at_debug_level_enabled to be true and the security log level to DEBUG.

Make sure to set dbms.security.logs.oidc.jwt_claims_at_debug_level_enabled back to false for production environments to avoid unwanted logging of potentially sensitive information. Also, bear in mind that the set of claims provided by an identity provider in the JWT can change over time.