Enabling Azure SSO - Information Required

This article is to guide you through gathering the information to enable SSO, there are headings for Access Token and ID Token, please follow the correct heading according to you needs.

ID Token

The below information is what we require to enable SSO using ID Token with Azure AD.

Client ID: the client ID can be found within the Azure App Registration you wish to use for your integration, highlighted in the screenshot below:

Directory (tenant) ID: This can be found as highlighted in the screenshot below:

Username Claim: This is something within Azure AD which is used as the username within the Neo4j Database. By default this is sub, but you may wish to use something such as email.

User Principal: Typically the same as Username Claim but this does not have to the case. The principal is the Unique Identifier of the user and the Username Claim is what their actual username will be in Neo4j.

Group to Role Mapping: The Azure Group is to be provided as a GUID, the Neo4j Group is to be provided as it is named in the database.

Access Token

Access token is slightly more complex to setup and further/different information is required; there is also some additional config required in the IDP side.

The above information from ID token is required, but it is also required for you to create an additional scope within the app registration by following the below steps:

1. click on Expose an API in the side bar:

2. Click Add a Scope

3. Fill in the mandatory information, giving the scope a name, display name and description and then click Add Scope

4. Click on the copy button next to the scope as highlighted below:

5. The copied valued is what should be provided to us

Configuring Redirect URIs

Please note that you must usa SPA redirect URIs, Neo4j Aura does not currently support other types, such as web or native.

You will need to add a redirect URI for each of the Aura apps you are using, <<dbid>> should be replaced the dbid of the instance you are configuring SSO for:

Browser: https://<<dbid>>.databases.neo4j.io/browser/?idp_id=azure&auth_flow_step=redirect_uri

Bloom:

https://bloom.neo4j.io/index.html?idp_id=azure&auth_flow_step=redirect_uri

1. Browse to App Registrations in the side pane and click on the app you are using for this integration:

2. Click on the blue text  Add a Redirect URI next to Redirect URIs:

3. Click Add a Platform

4. Select Single-page application:

5. Enter the URI in the format as shown at the top of this section and click Configure:

6. Repeat the process for the necessary applications, using the URIs in the format as shown above