Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSO for review #563

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

SSO for review #563

wants to merge 7 commits into from

Conversation

fiquick
Copy link
Contributor

@fiquick fiquick commented Dec 18, 2024

No description provided.

Copy link
Collaborator

@AlexicaWright AlexicaWright left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few questions.


There are two configuration options: *Organization SSO* and *Instance SSO*.
Note that role mapping is a feature exclusive to Instance SSO.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But the next section is about roles at the org level?


There are two configuration options: *Organization SSO* and *Instance SSO*.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about Project SSO?

Copy link
Collaborator

@AlexicaWright AlexicaWright left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you should mention in the beginning that SSO can be configured on two different levels. That's how we normally structure a page, by introducing what's to come on top and then followed by more details below.

label:AuraDB-Virtual-Dedicated-Cloud[]
label:AuraDS-Enterprise[]
label:AuraDB-Business-Critical[]
* *AuraDB Virtual Dedicated Cloud and AuraDS Enterprise* Supports both Organization SSO and Instance SSO which are configurable in the Aura console.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* *AuraDB Virtual Dedicated Cloud and AuraDS Enterprise* Supports both Organization SSO and Instance SSO which are configurable in the Aura console.
*AuraDB Virtual Dedicated Cloud and AuraDS Enterprise* support Single Sign-On both on Organization and Instance levels, configurable in the Aura console.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm missing information here about the limitations of SSO (ie that access, roles, and permissions are controlled via RBAC).
Also, a page should start with some sort of introduction, even if it is just a one-sentence paragraph. I suggest you remove the bullets here.

modules/ROOT/pages/platform/security/single-sign-on.adoc Outdated Show resolved Hide resolved
label:AuraDB-Business-Critical[]
* *AuraDB Virtual Dedicated Cloud and AuraDS Enterprise* Supports both Organization SSO and Instance SSO which are configurable in the Aura console.
Organization owners and organization admins can configure one or more Single Sign-On (SSO) login methods for user authentication.
* *AuraDB Business Critical* Individual instance level SSO is available by request through support.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* *AuraDB Business Critical* Individual instance level SSO is available by request through support.
*AuraDB Business Critical* Individual instance level SSO is available by request through support.


Organization admins can configure organization level SSO (org SSO) and project level SSO (project SSO).
_Use as a login method for the organization_
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this in italics?


== Log-in methods
_Use as a login method for instances within Projects in this Org._
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again, why italics?

modules/ROOT/pages/platform/security/single-sign-on.adoc Outdated Show resolved Hide resolved
Log-in methods are different for each SSO level.
Administrators can configure a combination of one or more of the log-in methods.
You can choose which projects are included during set up.
Applies to authentication at the instance level meaning that the SSO login method is shown when a user tries to access an instance.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this referring to? The sentence is missing a subject?

Administrators can configure a combination of one or more of the log-in methods.
You can choose which projects are included during set up.
Applies to authentication at the instance level meaning that the SSO login method is shown when a user tries to access an instance.
Role mapping is a feature exclusive to Instance SSO.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it really? Role mapping exists at org level too and you've listed a whole table about org-level roles and their privileges.
I think what you're trying to say is that role-mapping via SSO is only available for instance SSO?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The UI says
Role mapping only applies for Instance SSO = For example "group1"=role1;"group2"=role2

modules/ROOT/pages/platform/security/single-sign-on.adoc Outdated Show resolved Hide resolved

Log-in methods are different for each SSO level.
Administrators can configure a combination of one or more of the log-in methods.
You can choose which projects are included during set up.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Include that the SSO configuration only will apply to instances that are created afterwards, nor previous ones, and updating/removing an SSO config will not update/remove it from any instances it has been applied to.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea, I'll add it

label:AuraDB-Business-Critical[]
* *AuraDB Virtual Dedicated Cloud and AuraDS Enterprise* Supports both Organization SSO and Instance SSO which are configurable in the Aura console.
Organization owners and organization admins can configure one or more Single Sign-On (SSO) login methods for user authentication.
* *AuraDB Business Critical* Individual instance level SSO is available by request through support.
Copy link

@KingJohanna KingJohanna Dec 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is incorrect, instance SSO is always available for BC instances.

Copy link
Contributor Author

@fiquick fiquick Dec 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, but support can set up a special configuration so that only 1 instance in a project with multiple instances has SSO applied to it, and this is only available to Business Critical according to our support colleague. Would that be correct?

label:AuraDB-Virtual-Dedicated-Cloud[]
label:AuraDS-Enterprise[]
label:AuraDB-Business-Critical[]
* *AuraDB Virtual Dedicated Cloud and AuraDS Enterprise* Supports both Organization SSO and Instance SSO which are configurable in the Aura console.
Copy link

@KingJohanna KingJohanna Dec 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Org SSO is available to orgs that have access to* AuraDB Virtual Dedicated Cloud, AuraDS Enterprise or AuraDB Business Critical.

*Aka the capability to create instances with any of these tiers. Effectively this is

  1. Orgs with plan type Virtual Dedicated Cloud.
  2. Orgs with plan type self-serve with at least one non-marketplace (N4GCP, AWS, Azure) project.

Copy link

@KingJohanna KingJohanna Dec 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I started questioning this logic, because we don't have a technical reason for this limitation.

In the next year, we plan to remove this restriction so that org SSO is available for all orgs.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good stuff, SSO for all orgs will be a better user experience!

fiquick and others added 3 commits December 19, 2024 15:45
Co-authored-by: Jessica Wright <49636617+AlexicaWright@users.noreply.github.com>
Co-authored-by: Jessica Wright <49636617+AlexicaWright@users.noreply.github.com>
Co-authored-by: Jessica Wright <49636617+AlexicaWright@users.noreply.github.com>
@neo-technology-commit-status-publisher
Copy link
Collaborator

This PR includes documentation updates
View the updated docs at https://neo4j-docs-aura-563.surge.sh

Updated pages:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants