SSO OIDC custom auth and connecting with Neo4j Python driver (#1151)

imilinovic · katarinasupe · web-flow · commit d8f9573ab8e2 · 2025-03-06T17:02:12.000+01:00
* SSO custom auth and SSO with neo4j python driver docs

* PR changes

* PR changes

* update link

---------

Co-authored-by: katarinasupe &lt;supe.katarina@gmail.com&gt;
Co-authored-by: Katarina Supe &lt;61758502+katarinasupe@users.noreply.github.com&gt;
diff --git a/pages/client-libraries/python.mdx b/pages/client-libraries/python.mdx
@@ -177,6 +177,7 @@ Once the database is running and the client is installed or available in Python,
 - [Connect without authentication (default)](#connect-without-authentication-default)
 - [Connect with authentication](#connect-with-authentication)
 - [Connect with self-signed certificate](#encrypted-database-connection-with-self-signed-certificate)
+- [Connect with Single sign-on (SSO)](#connect-with-single-sign-on-sso)
 
 #### Connect without authentication (default)
 
@@ -269,6 +270,31 @@ with GraphDatabase.driver(URI, auth=AUTH) as client:
         print(record["name"])
 ```
 
+#### Connect with Single sign-on (SSO)
+
+<Callout type="warning">
+This is currently only supported for OIDC SSO.
+</Callout>
+
+To use SSO with the Python driver you need to get the access and id tokens yourself.
+One simple way to do it is to use the authlib library and follow the official [tutorial](https://docs.authlib.org/en/latest/client/oauth2.html).
+
+To connect to the Memgraph database you have to use the `custom_auth` class with the `scheme` parameter set as `oidc-entra-id`, `oidc-okta` or `oidc-custom` depending on which scheme you are using,
+`credentials` parameter set to contain both access and id tokens in the format shown in the example below. Finally set `principal` and `realm` parameters to `None`.
+
+Below is an example of connecting to the Memgraph database using OIDC SSO with custom auth scheme.
+```python
+with neo4j.GraphDatabase.driver(
+    "bolt://localhost:7687",
+    auth=neo4j.custom_auth(
+        scheme="oidc-custom",
+        credentials=f"access_token={token['access_token']};id_token={token['id_token']}",
+        principal=None,
+        realm=None,
+    )
+) as driver:
+```
+
 ### Query the database
 
 After connecting your client to Memgraph, you can start running queries. The simplest way to run queries is by using the `execute_query()` method which has an automatic transaction management.
diff --git a/pages/database-management/authentication-and-authorization/auth-system-integrations.mdx b/pages/database-management/authentication-and-authorization/auth-system-integrations.mdx
@@ -295,6 +295,31 @@ Role mapping is described [here](#single-sign-on).
 
 Issuer is `https://{your-okta-domain}.okta.com/oauth2/default/`. You can find the client ID on the Admin panel -> Applications -> General. You can find the authorization server on the Admin panel -> Security -> API -> Authorization Servers -> Audience. By default, it is set to `api://default`.
 
+##### Custom auth
+
+<Callout type="warning">
+This is currently only supported through the Neo4j drivers.
+</Callout>
+
+If you are using an OIDC provider which is not listed above you can use you the custom auth scheme.
+The only requirement is that your OIDC provider supports verifying the tokens through RSA algorithm (public & private key).
+
+Setup the following environmental variables:
+
+```mdx
+MEMGRAPH_SSO_CUSTOM_OIDC_PUBLIC_KEY_ENDPOINT=`URI where the public key for validating the tokens is exposed`
+MEMGRAPH_SSO_CUSTOM_OIDC_ACCESS_TOKEN_AUDIENCE=`access token audience`
+MEMGRAPH_SSO_CUSTOM_OIDC_ID_TOKEN_AUDIENCE=`id token audience`
+MEMGRAPH_SSO_CUSTOM_OIDC_ROLE_FIELD=`access token field to be used in the role mapping`
+MEMGRAPH_SSO_CUSTOM_OIDC_USERNAME=
+MEMGRAPH_SSO_CUSTOM_OIDC_ROLE_MAPPING=
+```
+
+Usernames are described below and role mappings are described [here](#single-sign-on).
+One way to deduce the audience of the access and id tokens is to decode them using a tool like `jwt.io`, check the `aud` field and deduce what it is.
+Often time access and id token will the use the same audience. For example in MS Entra ID both tokens use the client ID as audience.
+
+
 ##### Username 
 The username variable tells the OIDC module what to use as the username. It has the format `token-type:field`. 
 Token type can be `id` or `access` depending on whether you want to use a field from the access or the ID token for the username. See the following to learn more about [access](https://www.okta.com/identity-101/access-token/) and [id](https://developer.okta.com/docs/guides/validate-id-tokens/main/#id-tokens-vs-access-tokens) tokens.
@@ -306,6 +331,12 @@ For Okta one commonly used field is `access:sub` which is usually the email of t
 OIDC is by default enabled using the Memgraph `oidc.py` module. To use a custom auth module use the `--auth-module-mappings` [flag](/database-management/configuration#auth-module) like the following:
 `--auth-module-mappings=oidc-entra-id:/path/to/oidc-entra-module;oidc-okta:/path/to/oidc-okta-module` depending on the SSO provider you want to use.
 
+#### Using OIDC SSO with the Neo4j Python driver
+
+Connecting using SSO is supported with the Neo4j Python driver. For the
+instructions on how to connect, check the [Python driver
+docs](/client-libraries/python#connect-with-single-sign-on-sso).
+
 ## Basic (username + password) auth
 
 When Memgraph is set up to use the external auth module for basic authentication
