SSO Azure requirements #615
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Comment on lines
+15
to
+17
| As the service provider, Neo4j Aura redirects authentication requests to the configured identity provider (IDP) using the OpenID Connect (OIDC) protocol. | ||
| When a user attempts to log in, Aura generates a redirect URL with authentication parameters and sends the user to the IDP for authentication. | ||
| Upon successful login, the IDP redirects the user back to Aura with a secure token, allowing Aura to establish an authenticated session. |
There was a problem hiding this comment.
Suggested change
| As the service provider, Neo4j Aura redirects authentication requests to the configured identity provider (IDP) using the OpenID Connect (OIDC) protocol. | |
| When a user attempts to log in, Aura generates a redirect URL with authentication parameters and sends the user to the IDP for authentication. | |
| Upon successful login, the IDP redirects the user back to Aura with a secure token, allowing Aura to establish an authenticated session. |
This is TMI.
Comment on lines
22
to
23
| SSO is a log-in method. | ||
| Access, roles, and permissions are dictated by role-based access control (RBAC). |
There was a problem hiding this comment.
This is a little out of place here. I'd move this to the introduction.
| * Updating SSO on already running instances | ||
|
|
||
| If you require support assistance, visit link:https://support.neo4j.com/[Customer Support] and raise a support ticket including the following information: | ||
| == Support |
There was a problem hiding this comment.
Suggested change
| == Support |
The previous section is already about Support.
Comment on lines
+159
to
+168
| == FAQ | ||
|
|
||
| *Can users get roles added to them in Aura console via SSO and a group to role mapping?* | ||
|
|
||
| No, users must be granted the role on the org via Aura console invites and access management like with any other organization. | ||
|
|
||
| *Why am I unable to connect to the instance after completing the SSO login, the connection is showing as unconnected?* | ||
|
|
||
| Ensure that the email field is provided on your user in Entra. If it already is, contact support for further assistance. | ||
|
|
There was a problem hiding this comment.
Rewrite, we try to avoid FAQs in the docs. You can use admonitions or just running text to say the same thing.
Co-authored-by: Jessica Wright <[email protected]>
Co-authored-by: Jessica Wright <[email protected]>
Co-authored-by: Jessica Wright <[email protected]>
Co-authored-by: Jessica Wright <[email protected]>
Co-authored-by: Jessica Wright <[email protected]>
Co-authored-by: Jessica Wright <[email protected]>
Co-authored-by: Jessica Wright <[email protected]>
|
Thanks for the documentation updates. The preview documentation has now been torn down - reopening this PR will republish it. |
|
closing - and absorbing into "Azure requirements" PR |
KingJohanna
suggested changes
Mar 3, 2025
|
|
||
| As the service provider, Neo4j Aura redirects authentication requests to the configured identity provider (IDP) using the OpenID Connect (OIDC) protocol. | ||
| When a user attempts to log in, Aura generates a redirect URL with authentication parameters and sends the user to the IDP for authentication. | ||
| Upon successful login, the IDP redirects the user back to Aura with a secure token, allowing Aura to establish an authenticated session. |
There was a problem hiding this comment.
Suggested change
| Upon successful login, the IDP redirects the user back to Aura with a secure token, allowing Aura to establish an authenticated session. | |
| Upon successful authentication, the IDP redirects the user back to Aura with a secure token, allowing Aura to establish an authenticated session. |
There was a problem hiding this comment.
Just to be a little more clear that we mean IDP login and not Aura login.
|
|
||
| Single Sign-On (SSO) enables you to use your organization’s identity provider (IDP) to authenticate users so they can access the Aura console and Aura instances. | ||
|
|
||
| Aura supports SSO authentication and authorization using https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc[Microsoft Entra] and link:https://developer.okta.com/docs/guides/oin-sso-overview/[Okta] as identity providers, implementing the OpenID Connect (OIDC) protocol. |
There was a problem hiding this comment.
Suggested change
| Aura supports SSO authentication and authorization using https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc[Microsoft Entra] and link:https://developer.okta.com/docs/guides/oin-sso-overview/[Okta] as identity providers, implementing the OpenID Connect (OIDC) protocol. | |
| Aura supports SSO authentication and authorization using https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc[Microsoft Entra] and link:https://developer.okta.com/docs/guides/oin-sso-overview/[Okta] as identity providers, implementing the OpenID Connect (OIDC) protocol. Aura also supports authenticating with Google as the identity provider. |
Just to be consistent.
|
|
||
| *Project level-testing* | ||
|
|
||
| Keep the User/password login enabled, so that if SSO fails, you can still access the Aura console and adjust the configuration. |
There was a problem hiding this comment.
If instance SSO fails, support has to intervene. Users cannot adjust the configuration themselves, even with an alternative login method.
Suggested change
| Keep the User/password login enabled, so that if SSO fails, you can still access the Aura console and adjust the configuration. | |
| Keep the User/password login enabled, so that if SSO fails, you can still access the database. |
| @@ -6,9 +6,19 @@ label:AuraDB-Virtual-Dedicated-Cloud[] | |||
| label:AuraDB-Business-Critical[] | |||
| label:AuraDS-Enterprise[] | |||
|
|
|||
| == Introduction to SSO | |||
|
|
|||
| Single Sign-On (SSO) enables you to use your organization’s identity provider (IDP) to authenticate users so they can access the Aura console and Aura instances. | |||
|
|
||
| *Organization-level testing* | ||
|
|
||
| Keep the Email/password log-in method enabled, so that if SSO fails, you can still access the Aura console and adjust the configuration. |
There was a problem hiding this comment.
Suggested change
| Keep the Email/password log-in method enabled, so that if SSO fails, you can still access the Aura console and adjust the configuration. | |
| Keep the Email/password or Google log-in method enabled, so that if SSO fails, you can still access the Aura console and adjust the configuration. |
|
|
||
| . Select if you want the SSO config to be applied to organization logins, to specific projects within the organization, or both | ||
|
|
||
| . For IdP Type select *Azure Active Directory* |
There was a problem hiding this comment.
Suggested change
| . For IdP Type select *Azure Active Directory* | |
| . For IdP Type select *Microsoft Entra ID* |
|
|
||
| . The _Project ID_ of the projects you want to use SSO for. Click on the project settings to copy the ID. | ||
|
|
||
| . The name of your IdP | ||
|
|
||
| == Azure config |
There was a problem hiding this comment.
Not sure if it should be referred to as Azure or Microsoft Entra ID in this section
|
|
||
| *Why am I unable to connect to the instance after completing the SSO login, the connection is showing as unconnected?* | ||
|
|
||
| Ensure that the email field is provided on your user in Entra. If it already is, contact support for further assistance. |
There was a problem hiding this comment.
Suggested change
| Ensure that the email field is provided on your user in Entra. If it already is, contact support for further assistance. | |
| Ensure that the email field is provided on your user in Microsoft Entra ID. If it already is, contact support for further assistance. |
|
|
||
| Login to the Aura console with SSO. | ||
|
|
||
| *Project level-testing* |
There was a problem hiding this comment.
Suggested change
| *Project level-testing* | |
| *Project-level testing* |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.