diff --git a/modules/ROOT/pages/tutorial/tutorial-sso-configuration.adoc b/modules/ROOT/pages/tutorial/tutorial-sso-configuration.adoc index 490278a19..97be538ce 100644 --- a/modules/ROOT/pages/tutorial/tutorial-sso-configuration.adoc +++ b/modules/ROOT/pages/tutorial/tutorial-sso-configuration.adoc @@ -132,50 +132,52 @@ image::sso-configuration-tutorials/okta-sign-on-tab.svg[title="Okta's sign-on ta This example shows how to configure Entra ID for authentication and authorization using an access token. -. Set parameters to be `access_token`: -+ -[source, properties] ----- -dbms.security.oidc.azure.config=principal=unique_name;code_challenge_method=S256;token_type_principal=access_token;token_type_authentication=access_token ----- +. After the successful creation of your SSO application in Azure, open the *Token configuration* tab to configure a token. +.. Click *Add groups claim*. +.. Select *Security groups* to include in your access token. +.. Save your changes. -. Add the following parameter: +. Open the **Expose an API** tab and select **Add a Scope**. +.. If you click the **Add a Scope** button for the first time, you see a new pane stating that you need to add an _Application ID URI_ before proceeding. + -[source, properties] ----- -dbms.security.oidc.azure.token_endpoint=https://login.microsoftonline.com/54e85725-ed2a-49a4-a19e-11c8d29f9a0f/oauth2/v2.0/token ----- +You can find it on your app *Overview* page. + -[NOTE] -==== -The GUID is the directory (tenant) ID. -You can find it on the app registration page: - +.The GUID is used to identify specific resources or instances within Azure. You can find it on the app registration page. image::sso-configuration-tutorials/azure-id.svg[] -==== ++ +.. Click *Save and continue* after setting the _Application ID URI_. + +. Fill in all mandatory fields in the pane **Add a scope**. +.. Enter a new *Scope name*, *Admin consent display name*, and *Admin consent description*. +.. Make sure the *Enabled* scope state is selected. +.. Select the *Add scope* button again to create a new scope. +You can add all scopes supported by your API. ++ +Once the scopes are created, make a note of them for use later. -. Include the issuer: +. Configure Neo4j to use Entra ID for authentication by configuring the following settings in the _neo4j.conf_ file: + [source, properties] ---- +# Configure the access_token +dbms.security.oidc.azure.config=principal=unique_name;code_challenge_method=S256;token_type_principal=access_token;token_type_authentication=access_token +# Configure the OIDC token endpoint with the Directory (tenant) ID +dbms.security.oidc.azure.token_endpoint=https://login.microsoftonline.com/54e85725-ed2a-49a4-a19e-11c8d29f9a0f/oauth2/v2.0/token +# Configure the iss claim in the id token with the Directory (tenant) ID +# Make sure you add the trailing slash (`/`) at the end of the URL, or this operation might fail. dbms.security.oidc.azure.issuer=https://sts.windows.net/54e85725-ed2a-49a4-a19e-11c8d29f9a0f/ +# Provide the Entra ID parameters, such as client_id, response_type, scope, etc. +dbms.security.oidc.azure.params=client_id=4376dc8b-b5af-424f-9ada-c1c1b2d416b9;response_type=code;scope=openid profile email api://4376dc8b-b5af-424f-9ada-c1c1b2d416b9/access-token ---- + [NOTE] ==== -As previously mentioned, the GUID here is also the directory (tenant) ID. +As previously mentioned, the GUID here is also the Directory (tenant) ID. Make sure you add the trailing slash (`/`) at the end or this operation might fail. -==== -. Go to the "Expose an API" tab and click "Add a Scope" to include the following statement: -+ -[source, properties] ----- -dbms.security.oidc.azure.params=client_id=4376dc8b-b5af-424f-9ada-c1c1b2d416b9;response_type=code;scope=openid profile email api://4376dc8b-b5af-424f-9ada-c1c1b2d416b9/access-token ----- +The audience parameter for access tokens is typically set with `api://` at the front. +==== -. Add the value in the scope column to the scopes in the configuration. -Note that the audience parameter for access tokens are typically set with` api://` at the front. === ID token