# SSO for Neo4j

GraphAware Hume provides a Neo4j Security plugin that allows integration with Keycloak for Single Sign-On. In such setup, the advantage is that users visualising data in Hume will be performing queries to Neo4j with their SSO identity, and not with a service account for example.

# Installation

The installation has 3 required steps :

  1. Create a specific client in Keycloak
  2. Download, install and configure the Neo4j Security plugin
  3. Configure the Neo4j SSO Resource in Hume

# Create a Neo4j client in Keycloak

Log in to Keycloak as an administrator and select the realm for Hume.

Create a new client with the openid protocol and the confidential access type. Disable the standard flow and enable the authorization. The settings should look like this

Keycloak Client

Click then on the save button.

On the same page, in the right side of the top menu, click on Installation which brings you to a page where you can select in which format you want to download the installation configuration for this client, choose Keycloak OIDC JSON, download the file to your server ( you will need to copy it in the ${NEO4J_HOME/conf} directory).

The json file should have this format :

{
  "realm": "hume",
  "auth-server-url": "https://my-keycloak-server.com/auth/",
  "ssl-required": "external",
  "resource": "neo4j-demo-sso",
  "verify-token-audience": true,
  "credentials": {
    "secret": "987721ce-a6d3-de7acb970a2c"
  },
  "use-resource-role-mappings": true,
  "confidential-port": 0,
  "policy-enforcer": {}
}

In the same page, click on the Roles tab in the menu. This is where you will need to configure the roles users can have for this particular client.

The convention is that the role must start with the prefix NEO4J_, that prefix will be removed when the user is connected to the Neo4j server. The remaining part will also be lowercased by the plugin which means that, if a user or group is mapped to the role NEO4J_editor or NEO4J_Editor or NEO4J_EDITOR , when connecting to Neo4j he will have the editor role.

# Download, install and configure the plugin in Neo4j

Download the plugin ( the link should be asked to your GraphAware point of contact ) and copy the jar in the ${NEO4J_HOME}/plugins directory.

Copy the json downloaded above and copy it in the conf directory of your Neo4j Server.

Configure Neo4j ( edit conf/neo4j.conf ) with the following :

dbms.security.authentication_providers=plugin-keycloak-sso
dbms.security.authorization_providers=plugin-keycloak-sso

If you wish to keep the Neo4j native security, then it should be the following :

dbms.security.authentication_providers=plugin-keycloak-sso,native
dbms.security.authorization_providers=plugin-keycloak-sso,native

Restart your Neo4j server.

::: note If you use a Neo4j cluster, the procedure above should be done on every member of the cluster. :::

# Create a Neo4j SSO Resource in Hume

In Hume's Ecosystem, create a Resource with the Neo4j SSO type, give it a name and specify the Neo4j server location :

Neo4j SSO Resource

Use it ! You can now use the Neo4j SSO Resource in any perspective and visualisation.

WARNING

Do not use the SSO Resource with Orchestra, SSO is not a use case for machine processes.