When you are trying to login into the Aura database via SSO, you might get this error message: "SSO token was not accepted by neo4j".
When you get this error message, that means your SSO authentication process succeeds on your IDP side, which means your IDP successfully verified your login identity; then a valid token (ID token or Access token) has been generated and passed back to the Aura instance to do a final verification.
At this point:
There is something wrong with the token, and Aura can not accept it.
- The Neo4j Aura server couldn't communicate with the IDP server
Here are some of the most common issues with the token:
1. Token is too large. check if your account belongs to a high number of groups. In this case, your token will be too large and then it will be discarded by the Neo4j Aura. (You can try with an account that has a handful of groups.)
2. Some fields in your token do not match the configuration in your Aura instance's SSO configuration. For example, the user name claim in your Aura configuration is username, but the claim in your token is called preferred_username.
The Neo4j Aura server couldn't communicate with the IDP server
- A successful connection from your web browser to the IDP server verifies the connection between your client machine and your IDP server.
- However, this doesn't guarantee connectivity between the Aura server and the IDP server.
- To check this:
- Login to Aura instance through the Neo4j browser with native login (Username and password)
Run the below APOC, replacing <well known discovery URL> with the actual URL
CALL apoc.load.json("<well known discovery URL>")
- If your Aura instance has been configured with SSO details for your IDP, you can get the well know URL by running
YIELD name, value
WHERE name contains "well_known_discovery_uri"
RETURN value as knownurl
- You can dynamically fetch the URL and test connectivity using:
YIELD name, description, value
WHERE name CONTAINS "well_known_discovery_uri"
WITH value AS knownurl
- If the APOC fails to fetch data, it indicates a connectivity issue between the Neo4j server and your IDP.