diff --git a/modules/ROOT/content-nav.adoc b/modules/ROOT/content-nav.adoc index d8b463941..a6d615b7c 100644 --- a/modules/ROOT/content-nav.adoc +++ b/modules/ROOT/content-nav.adoc @@ -81,6 +81,9 @@ Generic Start ** xref:logging/security-log-analyzer.adoc[Security log analyzer] ** xref:logging/log-downloads.adoc[Download logs] +* **Security** +** xref:security/single-sign-on.adoc[Single sign-on] + * **Manage users** ** xref:user-management.adoc[] diff --git a/modules/ROOT/images/organizationsettings.png b/modules/ROOT/images/organizationsettings.png new file mode 100644 index 000000000..5c0eaba7b Binary files /dev/null and b/modules/ROOT/images/organizationsettings.png differ diff --git a/modules/ROOT/images/sso.png b/modules/ROOT/images/sso.png new file mode 100644 index 000000000..95b1a3114 Binary files /dev/null and b/modules/ROOT/images/sso.png differ diff --git a/modules/ROOT/pages/platform/security/single-sign-on.adoc b/modules/ROOT/pages/platform/security/single-sign-on.adoc deleted file mode 100644 index 43f63dd6f..000000000 --- a/modules/ROOT/pages/platform/security/single-sign-on.adoc +++ /dev/null @@ -1,55 +0,0 @@ -[[aura-reference-security]] -= Single Sign-On (SSO) -:description: SSO allows you to log in to the Aura console using their company IdP credentials. - -label:AuraDB-Enterprise[] -label:AuraDS-Enterprise[] -label:AuraDB-Business-Critical[] - -Aura Enterprise and Aura Business Critical supports Single Sign-On (SSO) at both the console level and for accessing Workspace, Bloom and Browser clients directly at the instance level. - -[NOTE] -==== -Accessing Aura with SSO requires: - -* Authorization Code Flow with PKCE. -* A publicly accessible Identity Provider (IdP) server. -==== - -== Console SSO - -Console SSO allows you to log in to the Aura console using company IdP credentials and grants link:{neo4j-docs-base-uri}/cypher-manual/current/administration/access-control/built-in-roles#access-control-built-in-roles-public[Public Access privileges] to all instances in the project. - -The following OpenID connect (OIDC) certified Identity Providers (IdPs) are currently supported for console-level Authentication with Aura Enterprise and Aura Business Critical: - -* Microsoft Entra ID -* Okta - -To enable console SSO on your project(s), please link:https://support.neo4j.com/[raise a support ticket] including the following information: - -//. The _Tenant ID_ of the project(s) you want to use SSO. See xref:platform/user-management.adoc#_projects[Projects] for more information on how to find your __Tenant ID__. -//link not working -. The name of your IdP. - -== Instance SSO - -Instance SSO allows you to directly map groups of users (as defined in your IdP) to DBMS RBAC roles when launching Workspace, Bloom and Browser clients from an Aura instance. - -The following OIDC certified IdPs are currently supported for instance-level Authentication: - -* Microsoft Entra ID -* Okta -* Keycloak -* Google Authentication - -To add SSO for Workspace, Bloom, and Browser to your Aura Enterprise instances, please https://support.neo4j.com/[raise a support ticket] including the following information: - -. The *Connection URI* of the instance(s) you want to use SSO. -. Whether or not you want Workspace, Bloom, Browser, or a combination of them enabled. -. The name of your IdP. - -[NOTE] -==== -If you have to specify an application type when configuring your client, Neo4j is a Single-page application. -For more information on configuring your client, see link:{neo4j-docs-base-uri}/operations-manual/current/tutorial/tutorial-sso-configuration/[Neo4j Single Sign-On (SSO) Configuration]. -==== diff --git a/modules/ROOT/pages/platform/security/encryption.adoc b/modules/ROOT/pages/security/encryption.adoc similarity index 100% rename from modules/ROOT/pages/platform/security/encryption.adoc rename to modules/ROOT/pages/security/encryption.adoc diff --git a/modules/ROOT/pages/platform/security/secure-connections.adoc b/modules/ROOT/pages/security/secure-connections.adoc similarity index 100% rename from modules/ROOT/pages/platform/security/secure-connections.adoc rename to modules/ROOT/pages/security/secure-connections.adoc diff --git a/modules/ROOT/pages/security/single-sign-on.adoc b/modules/ROOT/pages/security/single-sign-on.adoc new file mode 100644 index 000000000..5189c66ee --- /dev/null +++ b/modules/ROOT/pages/security/single-sign-on.adoc @@ -0,0 +1,84 @@ +[[aura-reference-security]] += Single Sign-On (SSO) +:description: SSO allows you to log in to the Aura Console using their company IdP credentials. + +label:AuraDB-Virtual-Dedicated-Cloud[] +label:AuraDB-Business-Critical[] +label:AuraDS-Enterprise[] + +== SSO levels + +Organization admins can configure SSO at the organization-level and project-level. +SSO is a log-in method. +Access, roles, and permissions are dictated by role-based access control (RBAC). + +* *Organization-level:* Allows org admins to control how users log in when they are trying to access the organization. It is a log-in method for the Aura console. + +* *Project-level:* Impacts new database instances created within that project. +It ensures users logging in with SSO have access to the database instances within the project. +It depends on RBAC if the user can access and view or modify data within the instances themselves. +For this level, the role mapping may be used to grant users different levels of access based on a role in their identity provider (IdP). +It *does not* give access to edit the project settings, for example to edit the project name, network access, or to edit the instance settings such as to rename an instance, or pause and resume. + +== Log-in methods + +Log-in methods are different for each SSO level. +Administrators can configure a combination of one or more of the log-in methods. + +*Organization-level supports:* + +* Email/password +* Okta +* Microsoft Entra ID +* Google SSO (not Google Workspace SSO) + +*Project-level supports:* + +* User/password +* Okta +* Microsoft Entra ID + +At the project-level admins cannot disable user/password, but at the organization-level admins can disable email/password and Google SSO as long as there is at least one other custom SSO provider configured. + +== Setup requirements + +Accessing Aura with SSO requires: + +* Authorization Code Flow +* A publicly accessible IdP server + +To create an SSO Configuration, either a Discovery URI or a combination of Issuer, Authorization Endpoint, Token Endpoint, and JWKS URI is required. + +== Create a new SSO configuration + +From the *Organization settings*, go to *Single Sign-On* to set up a new SSO configuration. + +The checkboxes *Use as a log in for the Organization* and *Use as login method for instances with projects in this Org* define whether SSO should be only on Organization level, only on Project level, or both. + +The required basic SSO configuration information can be retrieved from the IdP. +Entering the Discovery URI pre-fills the fields below. +If this is not known these fields can be completed manually. + +.SSO configuration +[.shadow] +image::sso.png[A screenshot of the SSO configuration,640,480] + +== Role mapping + +Role mapping applies to all new instances in the selected project. +To configure role mapping for an individual instance, contact support. + +== Individual instance-level + +Support can assist with SSO configurations at instance-level including: + +* Role mapping specific to a database instance +* Custom groups claim besides `groups` +* Updating SSO on already running instances + +If you require support assistance, visit link:https://support.neo4j.com/[Customer Support] and raise a support ticket including the following information: + + +. The _Project ID_ of the projects you want to use SSO for. Click on the project settings to copy the ID. + +. The name of your IdP diff --git a/modules/ROOT/pages/user-management.adoc b/modules/ROOT/pages/user-management.adoc index c0232d69e..59a024afe 100644 --- a/modules/ROOT/pages/user-management.adoc +++ b/modules/ROOT/pages/user-management.adoc @@ -2,13 +2,137 @@ = User management :description: This page describes how to manage users in Neo4j Aura. -User management is a feature within Aura that allows you to invite users and set their roles within an isolated environment. +User management is a feature within Aura that allows admins to invite users and set their roles within an isolated environment. -image::inviteusers.png[] +== Organization-level roles + +The following roles are available at the org level and these are assigned via invitation: -== Projects +* Owner +* Admin +* Member -Grant users access to a project. +:check-mark: icon:check[] +.Roles +[opts="header",cols="3,1,1,1"] +|=== +| Capability +| Owner +| Admin +| Member + +| List org +| {check-mark} +| {check-mark} +| {check-mark} + +| List org projects +| {check-mark} +| {check-mark} +| {check-mark} + +| Update org +| {check-mark} +| {check-mark} +| + +| Add projects +| {check-mark} +| {check-mark} +| + +| List existing SSO configs +| {check-mark} +| {check-mark} +| + +| Add SSO configs +| {check-mark} +| {check-mark} +| + +| List SSO configs on project-level +| {check-mark} +| {check-mark} +| + +| Update SSO configs on project-level +| {check-mark} +| {check-mark} +| + +| Delete SSO configs on project-level +| {check-mark} +| {check-mark} +| + +| Invite non-owner users to org +| {check-mark} +| {check-mark} +| + +| List users +| {check-mark} +| {check-mark} +| + +| List roles +| {check-mark} +| {check-mark} +| + +| List members of a project +| {check-mark} +| {check-mark} footnote:[An admin can only list members of projects the admin is also a member of.] +| + +// | Add customer information for a trial within org +// | {check-mark} +// | {check-mark} +// | + +// | List customer information for a trial within org +// | {check-mark} +// | {check-mark} +// | + +// | List seamless login for org +// | {check-mark} +// | {check-mark} +// | + +// | Update seamless login for org +// | {check-mark} +// | {check-mark} +// | + +| Invite owners to org +| {check-mark} +| +| + +| Add owner +| {check-mark} +| +| + +| Delete owners +| {check-mark} +| +| + +| Transfer projects to and from the org +| {check-mark} footnote:[An owner needs to permission for both the source and destination orgs.] +| +| +|=== + +== Project-level roles + +Each project can have multiple users with individual accounts allowing access to the same environment. + +The users with access to a project can be viewed and managed from the *Users* page. +Access the Users page by selecting Users from the sidebar menu of the console. The project you're currently viewing is displayed in the header of the console. You can select the project name to open the project dropdown menu, allowing you to view all the projects that you have access to and switch between them. @@ -74,6 +198,9 @@ The new user will appear within the list of users on the **User** page with the An email will be sent to the user with a link to accept the invite. +.Grant users access to a project +image::inviteusers.png[] + === Editing users As an _Admin_, to edit an existing user's role: