neo4j · fiquick · Feb 11, 2025 · Jan 17, 2025 · Jan 21, 2025 · Feb 6, 2025
diff --git a/modules/ROOT/content-nav.adoc b/modules/ROOT/content-nav.adoc
@@ -81,6 +81,9 @@ Generic Start
 ** xref:logging/security-log-analyzer.adoc[Security log analyzer]
 ** xref:logging/log-downloads.adoc[Download logs]
 
+* **Security**
+** xref:security/single-sign-on.adoc[Single sign-on]
+
 * **Manage users**
 ** xref:user-management.adoc[]
 

diff --git a/modules/ROOT/images/organizationsettings.png b/modules/ROOT/images/organizationsettings.png
diff --git a/modules/ROOT/images/sso.png b/modules/ROOT/images/sso.png
diff --git a/modules/ROOT/pages/platform/security/single-sign-on.adoc b/modules/ROOT/pages/platform/security/single-sign-on.adoc
diff --git a/...T/pages/platform/security/encryption.adoc → modules/ROOT/pages/security/encryption.adoc b/...T/pages/platform/security/encryption.adoc → modules/ROOT/pages/security/encryption.adoc
diff --git a/...platform/security/secure-connections.adoc → ...OT/pages/security/secure-connections.adoc b/...platform/security/secure-connections.adoc → ...OT/pages/security/secure-connections.adoc
diff --git a/modules/ROOT/pages/security/single-sign-on.adoc b/modules/ROOT/pages/security/single-sign-on.adoc
@@ -0,0 +1,84 @@
+[[aura-reference-security]]
+= Single Sign-On (SSO)
+:description: SSO allows you to log in to the Aura Console using their company IdP credentials.
+
+label:AuraDB-Virtual-Dedicated-Cloud[]
+label:AuraDB-Business-Critical[]
+label:AuraDS-Enterprise[]
+
+== SSO levels
+
+Organization admins can configure SSO at the organization-level and project-level.
+SSO is a log-in method. 
+Access, roles, and permissions are dictated by role-based access control (RBAC).
+
+* *Organization-level:* Allows org admins to control how users log in when they are trying to access the organization. It is a log-in method for the Aura console.
+
+* *Project-level:*  Impacts new database instances created within that project.
+It ensures users logging in with SSO have access to the database instances within the project.
+It depends on RBAC if the user can access and view or modify data within the instances themselves.
+For this level, the role mapping may be used to grant users different levels of access based on a role in their identity provider (IdP).
+It *does not* give access to edit the project settings, for example to edit the project name, network access, or to edit the instance settings such as to rename an instance, or pause and resume.
+
+== Log-in methods
+
+Log-in methods are different for each SSO level.
+Administrators can configure a combination of one or more of the log-in methods.
+
+*Organization-level supports:*
+
+* Email/password
+* Okta
+* Microsoft Entra ID
+* Google SSO (not Google Workspace SSO)
+
+*Project-level supports:*
+
+* User/password
+* Okta
+* Microsoft Entra ID
+
+At the project-level admins cannot disable user/password, but at the organization-level admins can disable email/password and Google SSO as long as there is at least one other custom SSO provider configured.
+
+== Setup requirements
+
+Accessing Aura with SSO requires:
+
+* Authorization Code Flow
+* A publicly accessible IdP server
+
+To create an SSO Configuration, either a Discovery URI or a combination of Issuer, Authorization Endpoint, Token Endpoint, and JWKS URI is required.
+
+== Create a new SSO configuration
+
+From the *Organization settings*, go to *Single Sign-On* to set up a new SSO configuration.
+
+The checkboxes *Use as a log in for the Organization* and *Use as login method for instances with projects in this Org* define whether SSO should be only on Organization level, only on Project level, or both.
+
+The required basic SSO configuration information can be retrieved from the IdP.
+Entering the Discovery URI pre-fills the fields below.
+If this is not known these fields can be completed manually.
+
+.SSO configuration
+[.shadow]
+image::sso.png[A screenshot of the SSO configuration,640,480]
+
+== Role mapping
+
+Role mapping applies to all new instances in the selected project.
+To configure role mapping for an individual instance, contact support.
+
+== Individual instance-level
+
+Support can assist with SSO configurations at instance-level including:
+
+* Role mapping specific to a database instance
+* Custom groups claim besides `groups`
+* Updating SSO on already running instances
+
+If you require support assistance, visit link:https://support.neo4j.com/[Customer Support] and raise a support ticket including the following information:
+
+
+. The _Project ID_ of the projects you want to use SSO for. Click on the project settings to copy the ID.
+
+. The name of your IdP
diff --git a/modules/ROOT/pages/user-management.adoc b/modules/ROOT/pages/user-management.adoc
@@ -2,13 +2,137 @@
 = User management
 :description: This page describes how to manage users in Neo4j Aura.
 
-User management is a feature within Aura that allows you to invite users and set their roles within an isolated environment.
+User management is a feature within Aura that allows admins to invite users and set their roles within an isolated environment.
 
-image::inviteusers.png[]
+== Organization-level roles
+
+The following roles are available at the org level and these are assigned via invitation:
 
-== Projects
+* Owner
+* Admin
+* Member
 
-Grant users access to a project.
+:check-mark: icon:check[]
+.Roles
+[opts="header",cols="3,1,1,1"]
+|===
+| Capability
+| Owner
+| Admin
+| Member
+
+| List org
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| List org projects
+| {check-mark}
+| {check-mark}
+| {check-mark}
+
+| Update org
+| {check-mark}
+| {check-mark}
+|
+
+| Add projects
+| {check-mark}
+| {check-mark}
+|
+
+| List existing SSO configs
+| {check-mark}
+| {check-mark}
+|
+
+| Add SSO configs
+| {check-mark}
+| {check-mark}
+|
+
+| List SSO configs on project-level
+| {check-mark}
+| {check-mark}
+|
+
+| Update SSO configs on project-level
+| {check-mark}
+| {check-mark}
+|
+
+| Delete SSO configs on project-level
+| {check-mark}
+| {check-mark}
+|
+
+| Invite non-owner users to org
+| {check-mark}
+| {check-mark}
+|
+
+| List users
+| {check-mark}
+| {check-mark}
+|
+
+| List roles
+| {check-mark}
+| {check-mark}
+|
+
+| List members of a project
+| {check-mark}
+| {check-mark} footnote:[An admin can only list members of projects the admin is also a member of.]
+|
+
+// | Add customer information for a trial within org
+// | {check-mark}
+// | {check-mark}
+// |
+
+// | List customer information for a trial within org
+// | {check-mark}
+// | {check-mark}
+// |
+
+// | List seamless login for org
+// | {check-mark}
+// | {check-mark}
+// |
+
+// | Update seamless login for org
+// | {check-mark}
+// | {check-mark}
+// |
+
+| Invite owners to org
+| {check-mark}
+|
+|
+
+| Add owner
+| {check-mark}
+|
+|
+
+| Delete owners
+| {check-mark}
+|
+|
+
+| Transfer projects to and from the org
+| {check-mark} footnote:[An owner needs to permission for both the source and destination orgs.]
+|
+|
+|===
+
+== Project-level roles
+
+Each project can have multiple users with individual accounts allowing access to the same environment.
+
+The users with access to a project can be viewed and managed from the *Users* page. 
+Access the Users page by selecting Users from the sidebar menu of the console.
 
 The project you're currently viewing is displayed in the header of the console. 
 You can select the project name to open the project dropdown menu, allowing you to view all the projects that you have access to and switch between them.
@@ -74,6 +198,9 @@ The new user will appear within the list of users on the **User** page with the
 
 An email will be sent to the user with a link to accept the invite.
 
+.Grant users access to a project
+image::inviteusers.png[]
+
 === Editing users
 
 As an _Admin_, to edit an existing user's role: