document and link to the require_local_user setting

phil198 · renetapopova · commit a2e27f3b81f6 · 2024-09-16T15:19:47.000+01:00
diff --git a/modules/ROOT/pages/authentication-authorization/auth-providers.adoc b/modules/ROOT/pages/authentication-authorization/auth-providers.adoc
@@ -6,7 +6,7 @@
 
 Authentication and authorization can be controlled on a user-level using Cypher by setting Auth Providers on users.
 
-In order to make use of Auth Providers, you need to set the `dbms.security.require_local_user` configuration setting to `true`.
+In order to make use of Auth Providers, you need to set the xref:configuration/configuration-settings.adoc#config_dbms.security.require_local_user[`dbms.security.require_local_user`] configuration setting to `true`.
 This setting mandates that only users with a corresponding Auth Provider in the database can authenticate and authorize.
 
 Auth Providers give you a way to link externally-defined users (e.g. in a 3rd party ID provider like OIDC or LDAP) to the Neo4j internal User model.
@@ -32,7 +32,7 @@ The way that the matching lookup is done depends on the type of provider. For ex
 - For the `native` (username/password) provider, the supplied username itself is used to look up the Auth Provider.
 
 == Enabling User Auth Providers mode
-When the configuration setting `dbms.security.require_local_user` is set to `true`, the lookups described above will be performed when the user authenticates, and a matching user Auth Provider *must* exist in order for a user to be able to successfully authenticate and authorize.
+When the xref:configuration/configuration-settings.adoc#config_dbms.security.require_local_user[`dbms.security.require_local_user`] configuration setting is set to `true`, the lookups described above will be performed when the user authenticates, and a matching user Auth Provider *must* exist in order for a user to be able to successfully authenticate and authorize.
 
 == Examples
 For examples of how to use Auth Providers with different authentication providers, see the following sections:
diff --git a/modules/ROOT/pages/authentication-authorization/ldap-integration.adoc b/modules/ROOT/pages/authentication-authorization/ldap-integration.adoc
@@ -379,11 +379,11 @@ SET AUTH PROVIDER 'ldap' { SET ID 'cn=alice,ou=engineering,dc=example,dc=com' }
 ----
 This will create a user who can authenticate and authorize using LDAP provided their LDAP `dn` is `cn=alice,ou=engineering,dc=example,dc=com`.
 
-When the `dbms.security.require_local_user` configuration setting is set to `true`, users can *only* authenticate when there is a user in the database with an Auth Provider which links to the provider that the user is trying to authenticate with.
+When the xref:configuration/configuration-settings.adoc#config_dbms.security.require_local_user[`dbms.security.require_local_user`] configuration setting is set to `true`, users can *only* authenticate when there is a user in the database with an Auth Provider which links to the provider that the user is trying to authenticate with.
 
 If there is no matching Auth Provider, the user will not be able to authenticate or authorize. This applies to all providers.
 
-Conversely, when `dbms.security.require_local_user` is set to `false`, users' Auth Providers will have no bearing on the way that they are authenticated and authorized, instead authentication and authorization will be controlled centrally (for all users) by the database configuration.
+Conversely, when xref:configuration/configuration-settings.adoc#config_dbms.security.require_local_user[`dbms.security.require_local_user`] is set to `false`, users' Auth Providers will have no bearing on the way that they are authenticated and authorized, instead authentication and authorization will be controlled centrally (for all users) by the database configuration.
 ======
 
 
diff --git a/modules/ROOT/pages/authentication-authorization/sso-integration.adoc b/modules/ROOT/pages/authentication-authorization/sso-integration.adoc
@@ -261,7 +261,7 @@ xref:authentication-authorization/auth-providers.adoc[Auth Providers] can be use
 
 [NOTE]
 ====
-You need to set the `dbms.security.require_local_user` configuration setting to `true` to use Auth Providers. This means that a user with a matching Auth Provider *must* exist in order to be able to authenticate and authorize.
+You need to set the xref:configuration/configuration-settings.adoc#config_dbms.security.require_local_user[`dbms.security.require_local_user`] configuration setting to `true` to use Auth Providers. This means that a user with a matching Auth Provider *must* exist in order to be able to authenticate and authorize.
 ====
 
 The following examples show how you can use Cypher to do this.
@@ -276,11 +276,11 @@ SET AUTH 'oidc-mysso' {SET ID 'jakesUniqueMySsoId'} // the id must match the cla
 This will create a user who can authenticate and authorize using `mysso` if they present a valid token with a `sub` claim of `jakesUniqueMySsoId`.
 The claim used for authentication is determined by the xref:configuration/configuration-settings.adoc#config_dbms.security.oidc.-provider-.claims.username[`dbms.security.oidc.mysso.claims.username`] config setting (default the default is the `sub` claim).
 
-When the `dbms.security.require_local_user` configuration setting is set to `true`, users can *only* authenticate when there is a user in the database with an Auth Provider which links to the provider that the user is trying to authenticate with.
+When the xref:configuration/configuration-settings.adoc#config_dbms.security.require_local_user[`dbms.security.require_local_user`] configuration setting is set to `true`, users can *only* authenticate when there is a user in the database with an Auth Provider which links to the provider that the user is trying to authenticate with.
 
 If there is no matching Auth Provider, the user will not be able to authenticate or authorize. This applies to all providers.
 
-Conversely, when `dbms.security.require_local_user` is set to `false`, users' Auth Providers will have no bearing on the way that they are authenticated and authorized, instead authentication and authorization will be controlled centrally (for all users) by the database configuration.
+Conversely, when xref:configuration/configuration-settings.adoc#config_dbms.security.require_local_user[`dbms.security.require_local_user`] is set to `false`, users' Auth Providers will have no bearing on the way that they are authenticated and authorized, instead authentication and authorization will be controlled centrally (for all users) by the database configuration.
 ======
 
 
diff --git a/modules/ROOT/pages/configuration/configuration-settings.adoc b/modules/ROOT/pages/configuration/configuration-settings.adoc
@@ -4615,6 +4615,21 @@ m|++++++
 |===
 
 
+[[config_dbms.security.require_local_user]]
+=== `dbms.security.require_local_user`
+
+.dbms.security.require_local_user
+[frame="topbot", stripes=odd, grid="cols", cols="<1s,<4"]
+|===
+|Description
+a|When set to `true`, users can *only* authenticate when there is a user in the database with an xref:authentication-authorization/auth-providers.adoc[Auth Provider] which links to the provider that the user is trying to authenticate with. If there is no matching xref:authentication-authorization/auth-providers.adoc[Auth Provider], the user will not be able to authenticate or authorize. This applies to all providers. Conversely, when set to `false`, users' xref:authentication-authorization/auth-providers.adoc[Auth Providers] will have no bearing on the way that they are authenticated and authorized, instead authentication and authorization will be controlled centrally (for all users) by the database configuration.
+|Valid values
+a|A boolean.
+|Default value
+m|+++true+++
+|===
+
+
 [[config_dbms.netty.ssl.provider]]
 === `dbms.netty.ssl.provider`
 
diff --git a/modules/ROOT/pages/tutorial/tutorial-sso-configuration.adoc b/modules/ROOT/pages/tutorial/tutorial-sso-configuration.adoc
@@ -24,7 +24,7 @@ SSO works in the following way:
 . The identity provider responds with a JSON Web Token (JWT), a JSON file containing fields (claims) relative to the user (email, audience, groups, etc.).
 . The client provides the server with the JWT, and the server verifies its signature with the JWKs.
 [role=label--new-5.24]
-. By setting the `dbms.security.require_local_user` configuration setting to `true`, you can control which users can authenticate and authorize by creating xref:authentication-authorization/auth-providers.adoc[Auth Providers] in the database using Cypher.
+. By setting the xref:configuration/configuration-settings.adoc#config_dbms.security.require_local_user[`dbms.security.require_local_user`] configuration setting to `true`, you can control which users can authenticate and authorize by creating xref:authentication-authorization/auth-providers.adoc[Auth Providers] in the database using Cypher.
 In this mode, a user with a matching Auth Provider must exist in the database for the user to be able to authenticate and authorize using an SSO (or any external) provider.
 This allows you to do the following in the database, using Cypher:
 .. `SUSPEND` SSO users.
@@ -136,7 +136,7 @@ image::sso-configuration-tutorials/okta-sign-on-tab.svg[title="Okta's sign-on ta
 +
 [role=label--new-5.24]
 . (Optional). If you want to mandate that users exist in the database in order to authenticate and authorize, you can use xref:authentication-authorization/auth-providers.adoc[Auth Providers] to achieve this.
-Set the `dbms.security.require_local_user` configuration setting to `true` in the _neo4j.conf_ file to enable this mode.
+Set the xref:configuration/configuration-settings.adoc#config_dbms.security.require_local_user[`dbms.security.require_local_user`] configuration setting to `true` in the _neo4j.conf_ file to enable this mode.
 For example to create a user `jake` who can authenticate using native or Okta, and authorize using Okta (as configured in step 3), you can use the following Cypher query:
 [source, cypher, role=noplay]
 ----
@@ -328,7 +328,7 @@ dbms.security.oidc.azure.claims.groups=roles
 
 [role=label--new-5.24]
 . (Optional). If you want to mandate that users exist in the database in order to authenticate and authorize, you can use xref:authentication-authorization/auth-providers.adoc[Auth Providers] to achieve this.
-Set the `dbms.security.require_local_user` configuration setting to `true` in the _neo4j.conf_ file to enable this mode.
+Set the xref:configuration/configuration-settings.adoc#config_dbms.security.require_local_user[`dbms.security.require_local_user`] configuration setting to `true` in the _neo4j.conf_ file to enable this mode.
 For example to create a user `jake` who can authenticate and authorize using Azure, you can use the following Cypher query:
 [source, cypher, role=noplay]
 ----
@@ -391,7 +391,7 @@ An admin user with the name `neo4j` is created by default when the database is x
 dbms.security.authentication_providers=oidc-google, native
 ----
 
-.. Set the `dbms.security.require_local_user` configuration setting to `true` in the _neo4j.conf_ file.
+.. Set the xref:configuration/configuration-settings.adoc#config_dbms.security.require_local_user[`dbms.security.require_local_user`] configuration setting to `true` in the _neo4j.conf_ file.
 This will switch to __User Auth Providers__ mode whereby users can only authenticate and authorize if they have a corresponding Auth Provider in the database.
 
 [source, properties]
