Does Neo4J supports SSO integration with PingFederate Identity Provider

[rohitgaikwad09]

Hi Team,

We are working with Neo4J SSO integration with PingFederate 11.x, However we 're getting an exception & have some queries on this setup.

1) Does Neo4j supports SSO authentication and authorization through PingFederate as a identity provider implementing the OpenID Connect (OIDC) standard?

As per this documentation, it is mentioned support for Okta, Azure, Google etc.

2) Need to know whether Neo4j SSO authentication and authorization is designed to work only with Okta, Azure, Google only? As based on this documentation the configuration is provider-specific using prefix represented by <provider>.

Based on this below OIDC configuration is created for PingFederate:

 dbms.security.authentication_providers=oidc-ping
 dbms.security.authorization_providers=oidc-ping
 dbms.security.oidc.ping.display_name=ping
 dbms.security.oidc.ping.audience=myAud
 dbms.security.oidc.ping.auth_flow=implicit
 dbms.security.oidc.ping.config=principal=unique_name;code_challenge_method=S256;token_type_principal=access_token;token_type_authentication=access_token
 dbms.security.oidc.ping.token_endpoint=https://myhostname:9031/as/token.oauth2
 dbms.security.oidc.ping.auth_endpoint=https://myhostname:9031/as/authorization.oauth2
 dbms.security.oidc.ping.issuer=https://myhostname:9031
 dbms.security.oidc.ping.params=client_id=myClientID;response_type=token;client_secret=myClientSecret;scope=openid
 dbms.security.oidc.ping.claims.username=username

Also, tried using below configuration for PingFederate:

dbms.security.authentication_providers=oidc-ping
dbms.security.authorization_providers=oidc-ping
dbms.security.oidc.ping.display_name=Ping
dbms.security.oidc.ping.auth_flow=pkce
dbms.security.oidc.ping.well_known_discovery_uri=https://myhostname:9031/.well-known/openid-configuration
dbms.security.oidc.ping.auth_endpoint=https://myhostname:9031/as/authorization.oauth2
dbms.security.oidc.ping.audience=myAud
dbms.security.oidc.ping.params=client_id=myClientID;response_type=code;scope=openid
dbms.security.oidc.ping.token_params=client_secret=myClientSecret
dbms.security.oidc.ping.claims.username=username
dbms.security.oidc.ping.jwks_uri=https://myhostname:9031/pf/JWKS

3) We are getting an exception at Neo4j end as below, Moreover the Neo4J does not makes any request to PingFederate Idp as exception comes at Neo4J end:

 2023-11-20 15:31:05.488+0000 WARN  {OidcRealm: oidc-ping}: Failed to authenticate user 'demo'. JWT is not valid for this realm.
 2023-11-20 15:31:05.489+0000 ERROR failed to log in: invalid principal or credentials`

While using JWT token:

{
  "alg": "RS256",
  "kid": "6554eWf3A81B8bhv6SBo",
  "pi.atm": "5cnv"
} 

{
  "scope": "openid",
  "client_id": "myClientID",
  "iss": "https://myhostname:9031",
  "aud": "myAud",
  "jti": "Ytr3765DMoH1WgOcX",
  "Username": "demo",
  "username": "demo",
  "exp": 1700159940
}

Note: The user demo is stored in LDAP which is configured as a data store at PingFederate end.

4) For PingFederate IdP will there be a need to implement a custom auth provider for Neo4j like this? If yes then can you please provide a documentation reference or OOTB SSO solution from Neo4J will work?

5) We have enabled below loggers at Neo4J end, But these loggers are not helpful to debug the exception, Can you please suggest any additional loggers for this exception:

dbms.cluster.discovery.log_level=DEBUG  
dbms.routing.driver.logging.level=DEBUG  
db.logs.query.plan_description_enabled=true  
server.logs.debug.enabled=true  
dbms.security.logs.ldap.groups_at_debug_level_enabled=true  
dbms.security.logs.oidc.jwt_claims_at_debug_level_enabled=true

Thanks, --Rohit

[mnd999]

Thanks for your report. Unfortunately, this is not the right repository for questions about SSO integrations, this is for reporting issues with the Operations Manual. As SSO is an enterprise feature I would suggest in the first instance, the best way to get assistance with it is to open a support ticket with Neo4j support if you are able to do that.