Document mixed-mode authentication and authorization (#1126) (#1165)

Information about mixed-mode authentication and/or authorization should
be added to the `4.4` branch as well.

---------

Co-authored-by: Reneta Popova <[email protected]>

Author: NataliaIvakina

modules/ROOT/pages/authentication-authorization/index.adoc

@@ -45,11 +45,17 @@ A plugin option for building custom integrations.
 It is recommended that this option is used as part of a custom delivery as negotiated with link:https://neo4j.com/professional-services/[Neo4j Professional Services].
 For more information, see link:{neo4j-docs-base-uri}/java-reference/{page-version}/extending-neo4j/security-plugins#extending-neo4j-security-plugins[Java Reference -> Authentication and authorization plugins].
 
-
 *Kerberos authentication and single sign-on*::
 In addition to LDAP, native, and custom providers, Neo4j supports Kerberos for authentication and single sign-on.
 Kerberos support is provided via the link:{neo4j-docs-base-uri}/kerberos-add-on/current/[Neo4j Kerberos Add-On].
 
+*Mixed-mode authentication*::
+Neo4j also supports mixed-mode authentication that allows you to use multiple authentication providers in your database setup.
+For more information and examples, see xref:authentication-authorization/ldap-integration.adoc#auth-ldap-configure-provider[Set Neo4j to use LDAP] and xref:authentication-authorization/sso-integration.adoc#auth-sso-configure-sso[Configure Neo4j to use OpenID Connect].
+
+
+
+
 [[authorization-overview]]
 == Authorization
 
@@ -64,11 +70,11 @@ Neo4j provides a set of xref:authentication-authorization/built-in-roles.adoc[bu
 You can also use the _sub-graph_ access control, through which read access to the graph can be limited to specific combinations of labels, relationship types, and properties.
 
 [NOTE]
---
+====
 The functionality described in these pages applies to Enterprise Edition.
 A limited set of user management functions are also available in Community Edition.
 xref:authentication-authorization/built-in-roles.adoc#auth-built-in-roles-overview[Built-in roles capabilities] gives a quick overview of these.
---
+====
 
 The Neo4j security model is stored in the system graph, which is maintained in the xref:database-administration/index.adoc#manage-databases-system[`system` database].
 All administrative commands need to be executed against it.

modules/ROOT/pages/authentication-authorization/ldap-integration.adoc

@@ -100,6 +100,19 @@ First, you configure Neo4j to use LDAP as an authentication and authorization pr
 . Uncomment the setting `dbms.security.auth_enabled=false` and change its value to `true` to turn on the security feature.
 . Uncomment the settings `dbms.security.authentication_providers` and `dbms.security.authorization_providers` and change their value to `ldap`.
 This way, the LDAP connector is used as a security provider for both authentication and authorization.
++
+If you want, you can still use the `native` provider for mixed-mode authentication and authorization.
+The values are comma-separated and queried in the declared order.
++
+.Configure Neo4j to use LDAP and the native authentication and authorization provider.
+======
+[source,configuration,role="noheader"]
+----
+dbms.security.authentication_providers=ldap,native
+dbms.security.authorization_providers=ldap,native
+----
+======
+
 
 [[auth-ldap-map-ldap-roles]]
 == Map the LDAP groups to the Neo4j roles

modules/ROOT/pages/authentication-authorization/sso-integration.adoc

@@ -141,16 +141,16 @@ First, you configure Neo4j to use OpenID Connect as an authentication and author
 The default value for `dbms.security.auth_enabled` is `true`.
 . Uncomment the settings `dbms.security.authentication_providers` and `dbms.security.authorization_providers` and change their value to `oidc-<provider>`, where `<provider>` maps to the provider name used in the configuration settings.
 This way, the OIDC connector is used as a security provider for both authentication and authorization.
-These configuration values are comma-separated lists, so if you wish to continue to use native authentication and authorization alongside SSO, then these providers can be added to the existing `native` provider:
+If you want, you can still use the `native` provider for mixed-mode authentication and authorization.
+The values are comma-separated and queried in the declared order.
 +
-.Configuration
+.Configure Neo4j to use two OpenID Connect and the native authentication and authorization providers.
 ======
 [source,configuration,role="noheader"]
 ----
 dbms.security.authentication_providers=oidc-newsso,oidc-oldsso,native
 dbms.security.authorization_providers=oidc-newsso,oidc-oldsso,native
 ----
-This example has two OpenID Connect providers configured, as well as Neo4j native authorization and authentication.
 ======
 
 [[auth-sso-map-idp-roles]]
@@ -304,4 +304,4 @@ To enable the logging of these claims at `DEBUG` level in the security log, set
 ====
 Make sure to set xref:configuration/configuration-settings.adoc#config_dbms.security.logs.oidc.jwt_claims_at_debug_level_enabled[dbms.security.logs.oidc.jwt_claims_at_debug_level_enabled] back to `false` for production environments to avoid unwanted logging of potentially sensitive information.
 Also, bear in mind that the set of claims provided by an identity provider in the JWT can change over time.
-====
+====