From 6c2f42f357ece0cd5af4e174752de9c4f36af619 Mon Sep 17 00:00:00 2001 From: Fi Quick <47183728+fiquick@users.noreply.github.com> Date: Thu, 19 Dec 2024 17:05:21 +0000 Subject: [PATCH 1/3] J&Js feedback --- .../platform/security/single-sign-on.adoc | 158 +++--------------- 1 file changed, 20 insertions(+), 138 deletions(-) diff --git a/modules/ROOT/pages/platform/security/single-sign-on.adoc b/modules/ROOT/pages/platform/security/single-sign-on.adoc index b9e944f1..96709c56 100644 --- a/modules/ROOT/pages/platform/security/single-sign-on.adoc +++ b/modules/ROOT/pages/platform/security/single-sign-on.adoc @@ -2,159 +2,39 @@ = Single Sign-On (SSO) :description: SSO allows you to log in to the Aura Console using their company IdP credentials. -* *AuraDB Virtual Dedicated Cloud and AuraDS Enterprise* Supports both Organization SSO and Instance SSO which are configurable in the Aura console. Organization owners and organization admins can configure one or more SSO login methods for user authentication. -* *AuraDB Business Critical* Individual instance level SSO is available by request through support. - SSO allows users to authenticate through an Identity Provider (IdP) to access an organization or instances within a project. - -== Organization SSO -_Use as a login method for the organization_ +Using the Aura console, you can select one _or both_ of the following configurations: + +* Use as a login method for the organization (Organization SSO) +* Use as a login method for instances within Projects in this Org (Instance SSO) + +== Use as a login method for the organization (Organization SSO) -=== Organization SSO login methods +Login methods: * Okta * Microsoft Entra ID * Google SSO (not Google Workspace SSO) +Leave email/password and Google login enabled if you want users to continue to have access to the console using email/pw and Google logins. +If you want to restrict access to the console/org to only the configured SSO provider, then disable email/pw and google login methods. + You can disable email/password and Google SSO if Okta or Microsoft Entra ID are configured. When Organization SSO is set up, the *Organization SSO login* link is available in the *Organization Settings > Summary* section of the Aura console. -=== SSO Org level roles - -The following roles are available at the organization level and these are assigned via invitation: - -* Owner -* Admin -* Member - -:check-mark: icon:check[] - -.Roles -[opts="header",cols="3,1,1,1"] -|=== -| Capability -| Owner -| Admin -| Member - -| List org -| {check-mark} -| {check-mark} -| {check-mark} - -| List org projects -| {check-mark} -| {check-mark} -| {check-mark} - -| Update org -| {check-mark} -| {check-mark} -| - -| Add projects -| {check-mark} -| {check-mark} -| - -| List existing SSO configs -| {check-mark} -| {check-mark} -| - -| Add SSO configs -| {check-mark} -| {check-mark} -| - -| List SSO configs on project-level -| {check-mark} -| {check-mark} -| - -| Update SSO configs on project-level -| {check-mark} -| {check-mark} -| - -| Delete SSO configs on project-level -| {check-mark} -| {check-mark} -| - -| Invite non-owner users to org -| {check-mark} -| {check-mark} -| - -| List users -| {check-mark} -| {check-mark} -| - -| List roles -| {check-mark} -| {check-mark} -| - -| List members of a project -| {check-mark} -| {check-mark} footnote:[An admin can only list members of projects the admin is also a member of.] -| - -// | Add customer information for a trial within org -// | {check-mark} -// | {check-mark} -// | - -// | List customer information for a trial within org -// | {check-mark} -// | {check-mark} -// | - -// | List seamless login for org -// | {check-mark} -// | {check-mark} -// | - -// | Update seamless login for org -// | {check-mark} -// | {check-mark} -// | - -| Invite owners to org -| {check-mark} -| -| - -| Add owner -| {check-mark} -| -| - -| Delete owners -| {check-mark} -| -| - -| Transfer projects to and from the org -| {check-mark} footnote:[An owner needs to permission for both the source and destination orgs.] -| -| -|=== - -== Instance SSO - -_Use as a login method for instances within Projects in this Org._ - -You can select which projects are included during setup. +Users who log in via Organization SSO do not automatically get access to the organization that SSO is configured on. +Users must still be invited to a project within the organization in order to get access to that organization. + +== Use as a login method for instances within Projects in this Org (Instance SSO) + +During the SSO configuration (see Figure 2) you can select which projects are included during setup. Applies to authentication at the instance level meaning that the SSO login method is shown when a user tries to access an instance. -Role mapping is a feature exclusive to Instance SSO. +Role-mapping via SSO is only available for this option. -=== Instance SSO login methods +Login methods: * Okta * Microsoft Entra ID @@ -162,6 +42,8 @@ Role mapping is a feature exclusive to Instance SSO. You cannot disable user/password. Professional and Free instances within your selected projects will not have SSO configured. +This only applies to instances in the project that are created after Instance SSO was configured. + == Setup requirements To set up SSO, you need: From 5b7906aab39825ec8157d88d251fdb4767285781 Mon Sep 17 00:00:00 2001 From: Fi Quick <47183728+fiquick@users.noreply.github.com> Date: Thu, 19 Dec 2024 17:07:51 +0000 Subject: [PATCH 2/3] edit --- modules/ROOT/pages/platform/security/single-sign-on.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/platform/security/single-sign-on.adoc b/modules/ROOT/pages/platform/security/single-sign-on.adoc index 96709c56..6f3fb16f 100644 --- a/modules/ROOT/pages/platform/security/single-sign-on.adoc +++ b/modules/ROOT/pages/platform/security/single-sign-on.adoc @@ -18,8 +18,8 @@ Login methods: * Microsoft Entra ID * Google SSO (not Google Workspace SSO) +If you want to restrict access to the console/org to only the configured SSO provider, then disable email/pw and google login methods (See Figure 3). Leave email/password and Google login enabled if you want users to continue to have access to the console using email/pw and Google logins. -If you want to restrict access to the console/org to only the configured SSO provider, then disable email/pw and google login methods. You can disable email/password and Google SSO if Okta or Microsoft Entra ID are configured. From 2e40e89e76cd8c30576f89b3577ab63140e75f84 Mon Sep 17 00:00:00 2001 From: Fi Quick <47183728+fiquick@users.noreply.github.com> Date: Tue, 24 Dec 2024 11:56:53 +0000 Subject: [PATCH 3/3] glossary --- .../ROOT/pages/platform/security/single-sign-on.adoc | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/modules/ROOT/pages/platform/security/single-sign-on.adoc b/modules/ROOT/pages/platform/security/single-sign-on.adoc index 6f3fb16f..ac0f7da8 100644 --- a/modules/ROOT/pages/platform/security/single-sign-on.adoc +++ b/modules/ROOT/pages/platform/security/single-sign-on.adoc @@ -3,7 +3,10 @@ :description: SSO allows you to log in to the Aura Console using their company IdP credentials. Organization owners and organization admins can configure one or more SSO login methods for user authentication. -SSO allows users to authenticate through an Identity Provider (IdP) to access an organization or instances within a project. +SSO allows users to authenticate through an Identity Provider (IdP), such as Okta or Microsoft Entra ID, to access an organization or instances within a project. + +Glossary: IdP (e.g. Okta or Microsoft Entra ID) + Using the Aura console, you can select one _or both_ of the following configurations: @@ -24,9 +27,15 @@ Leave email/password and Google login enabled if you want users to continue to h You can disable email/password and Google SSO if Okta or Microsoft Entra ID are configured. When Organization SSO is set up, the *Organization SSO login* link is available in the *Organization Settings > Summary* section of the Aura console. +That link takes users directly to the auth0 org login page. Users who log in via Organization SSO do not automatically get access to the organization that SSO is configured on. Users must still be invited to a project within the organization in order to get access to that organization. +(Users can bookmark this page for easy access, or you could add it to an apps dashboard.) + +Users can navigate to the main auth0 login page (http://login.neo4j.com ) and select "Continue with Organization SSO". They can then enter their Organization SSO ID and be redirected to the org login page. + +If a user logs in with an email/pw or google login method, but shares the email with an org that has SSO configured, when they try to switch to a tenant on that org they will be redirected to the org login page. == Use as a login method for instances within Projects in this Org (Instance SSO)