The user you are logged in with is not linked to a Commercial Support agreement.

Articles in this section

How to configure Neo4j Single Sign-On (SSO) with Keycloak

Mounir Babari
  • Updated
Follow

This article helps you configure Single Sign-On (SSO) in Neo4j through Keycloak.

It includes instructions for configuring both Neo4j and Keycloak to make this integration possible.

Keycloak is an Open Source Identity and Access Management solution for Applications and Services. It enables managing different identity providers (Open ID, Saml v2.0 and Social) along with various user federation providers (Kerberos, LDAP, AD) all in a centralized console.

 

Keycloak-Identity-Providers.png

 

Running Keycloak

Docker Images for Keycloak are available on the Redhat quay.io repository.

In this Lab, you can start Keycloak using this docker run command:

 

docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:19.0.2 start-dev

 

More information about running Keycloak in Docker can be found here:

http://www.mastertheboss.com/keycloak/keycloak-with-docker/

Now you can access the Keycloak admin console at http://localhost:8080/

Using the password passed to the Docker run command (admin/admin).

 

Configuring Keycloak

 

Let's create a realm. A realm manages a set of users, credentials, roles, and groups. A user belongs to, and logs into, a realm. Realms are isolated from one another and can only manage and authenticate the users that they control.

 

Neo4j-key_loak-integration.png

 

Create a Realm called "myCorp":

 

crerate-realm-keycloak.png

 

Create a public OpenId Connect client named "neo4j-client" within the myCorp realm:

Screen1:

keycloak-create-neo4j-client.png

Screen2:

keycloak-create-neo4j-client-screen2.png

 

Add your Neo4j browser valid redirect url:

http://localhost:7414/browser/?idp_id=keycloak&auth_flow_step=redirect_uri

http://localhost:7424/browser/?idp_id=keycloak&auth_flow_step=redirect_uri

http://localhost:7434/browser/?idp_id=keycloak&auth_flow_step=redirect_uri

Add web origin *

 

add-valid-redirect-url-and-web-origin.png

 

Create 3 groups "admin", "reader" and "analyst":

 

create-groups-keycloak.png

 

Create three users called "admin", "reader" and "analyst" and add them to the created groups admin, reader and analyst respectively:

create-users-an-add-to-group.png

Set a password for your users under Users>Credentials:

set-password-for-user-keycloak.png

 

Create a client scope called "Groups" in Keycloak with the following setting:

create-group-client-scope.png

 

Add a Groups mappers to the Groups client scope so the groups will be added to the JWT access  token:

add-groups-token-mapper-to-client-scope.png

 

Finally, add the newly created client scope called Groups to your Neo4j client:

add-client-scope-to-neo4j-client.png

The final Realm configuration export is attached to this article. Download link.

 

Configuring Neo4j

 

SSO is supported in Neo4j Enterprise edition from version 4.4.

Configure  Neo4j to use Keycloak OIDC provider. In neo4j.conf add:

# Keycloak

dbms.security.authentication_providers=oidc-keycloak,native

dbms.security.authorization_providers=oidc-keycloak,native

dbms.security.oidc.keycloak.display_name=keycloak

dbms.security.oidc.keycloak.auth_flow =pkce

dbms.security.oidc.keycloak.well_known_discovery_uri=http://127.0.0.1:8080/realms/myCorp/.well-known/openid-configuration

dbms.security.oidc.keycloak.params=client_id=neo4j-client;response_type=code;scope=openid email roles

dbms.security.oidc.keycloak.audience=account

dbms.security.oidc.keycloak.issuer=http://127.0.0.1:8080/realms/myCorp

dbms.security.oidc.keycloak.claims.username=preferred_username

# The claim to use for the database roles.

dbms.security.oidc.keycloak.claims.groups=groups

dbms.security.oidc.keycloak.authorization.group_to_role_mapping="/admin"=admin; "/analyst"=analyst;"/reader"=reader

dbms.security.oidc.keycloak.config=principal=preferred_username;token_type_principal=access_token;token_type_authentication=access_token

dbms.security.oidc.keycloak.auth_endpoint=http://127.0.0.1:8080/realms/myCorp/protocol/openid-connect/auth

dbms.security.oidc.keycloak.token_endpoint=http://127.0.0.1:8080/realms/myCorp/protocol/openid-connect/token

 

After restarting Neo4j, The browser will have Keycloak SSO added to the authentication methods.

Once SSO is chosen, the user will be redirected  to the Keycloak authentication page:

 

Neo4jBrowser_authentication.png

 

After providing your previously created Keycloak username and password, you will be redirected to the Neo4j browser again.

 

keycloak-login-page.png

Connected-as-Neo4j-admin.png
In Neo4j security.log check that the user is successfully connected and the roles are correctly mapped:

2023-01-0313:53:21.208+0000DEBUG {OidcRealm: oidc-keycloak}: Successfully authenticated user 'analyst' roles '[analyst]'
2023-01-0313:53:21.209+0000INFO [analyst]: logged in

2023-01-0315:58:30.083+0000DEBUG {OidcRealm: oidc-keycloak}: Successfully authenticated user 'admin' roles '[admin]'
2023-01-0315:58:30.083+0000INFO [admin]: logged in

Tags: SecurityTags: Neo4j BrowserTags: SSO

Related articles

Comments

0 comments

Please sign in to leave a comment.