[{"content":"Needle StarterKit 2.0: Templates, Chatbot, and more! I am super excited to announce the release of Needle StarterKit 2.0, a comprehensive library designed to boost the development of your Neo4j front-end applications! This latest version is packed with new features and improvements that promise to accelerate your Time to Value (TTV) while focusing on your needs like never before.\nWhat\u0026rsquo;s New in 2.0? Needle StarterKit 2.0 introduces a variety of templates and components tailored to specific use cases across different industries, making it more adaptable and efficient for you. Key new features include:\n4 Templates:\nFoundation: The 1st template that was part of the Needle StarterKit. Modern and simple, for all variety of applications. Cybersecurity: Central search bar to find vulnerabilities or impact analysis in your network in a formatted table or graph. Movie: Based on the famous Neo4j Movie dataset. Ideal template for building an application on top of a recommendation engine. E-commerce: Aim to provide information on a selected product but also provide suggestions on what others have bought or similar products. 3 Components:\nChatbot: A chatbot interface that can easily be plugged into your backend. Ideal for building your next RAG Chatbot on top of a Knowledge Graph! Connection Modal: Connection interface to connect to a Neo4j Database. Header: A product header / Navbar Getting Started To get started with the Needle StarterKit 2.0, ensure you have Node v16 (or higher) installed. The kit is designed to work seamlessly with Neo4j v5.X or higher.\nQuick Installation Guide:\n1 2 3 4 git clone git@github.com:neo4j-labs/neo4j-needle-starterkit.git cd neo4j-needle-starterkit yarn install yarn run dev For a more detailed installation and configuration guide, please refer to the official documentation.\nExplore and Extend Dive deeper into what the new version has to offer by exploring the provided templates and components. Whether you\u0026rsquo;re working on cybersecurity, e-commerce, or any other domain, the starter kit has something for you!\nWe also now have a hosted app so that you can see it in action without having to deploy it in your environment, you can access it and try it out at: https://needle-starterkit.graphapp.io/\nThe StarterKit aims to accelerate your time to value when starting to develop an application from scratch, being able to start from a template instead of a blank page and customize it/extend it with your needs.\nAs part of this version, we also now provide independent components that you can use in your existing applications. For instance, if you think about adding a chatbot to your application, we have a component for that! Simply import the component, plug the message fetcher into your backend, and voila!\nWe also now provide patterns to help you build an application from a blank page without having to reinvent the wheel with components like the Header, ConnectionModal, and more. The Needle StarterKit is open source and Apache 2.0, visit the GitHub repository for more information, contribute, and/or access the source code: https://github.com/neo4j-labs/neo4j-needle-starterkit\nDocumentation and Support For comprehensive guidance on installing, configuring, and extending the StarterKit, the documentation is your go-to resource. Whether you\u0026rsquo;re a beginner or an experienced developer, you\u0026rsquo;ll find valuable insights to make the most out of this version 2.0!\nWhat\u0026rsquo;s next? In the next release, more templates and components will come into the Needle StarterKit but there\u0026rsquo;s more! How-to/guides/videos will see the light on how to use/integrate the components/templates. For instance with the chatbot interface, an end-to-end guide is currently in progress, so stay tuned if you don\u0026rsquo;t want to miss it!\n","date":"2024-03-14T00:00:00Z","image":"https://www.morgansenechal.com/p/needle-starterkit-2.0-templates-chatbot-and-more/assets/FeaturedImg_hu0f405efac9758aff8f9726d04abf8053_615473_120x120_fill_q75_box_smart1.jpg","permalink":"https://www.morgansenechal.com/p/needle-starterkit-2.0-templates-chatbot-and-more/","title":"Needle StarterKit 2.0: Templates, Chatbot, and more!"},{"content":"Needle StarterKit: The Ultimate Tool for Accelerating Your Graph App Projects Now that you have data in your Neo4j database, you want to take it to the next level and create an application for your users — but don’t know where to start? Look no further. This starter kit is made for you!\nWhat is Neo4j Needle StarterKit? The Neo4j Needle StarterKit is a template for developing applications aiming to reduce your development time and accelerate your Time To Value (TTV) ⏰. It leverages the Neo4j Needle design system, providing a responsive and user-friendly interface for applications that interact with Neo4j databases.\nhttps://github.com/msenechal/neo4j-needle-starterkit/\nKey Features 🚀 Responsive: Adapts to different screen sizes for optimal user experience. 🌚 Dark/Light Mode Theme 🌞: Includes a theme wrapper to switch between light and dark modes without having to reinvent the wheel! ⚙️ Neo4j Integration: A simple example for connecting to a Neo4j database. 🔐 Neo4j Auto-connect: Automatically connects to the Neo4j database if the user has a session saved (using localStorage). 💻 Side Navigation: Offers a navigational sidebar for easy access to different parts of the application. 🛠️️ Modular approach: Facilitates easy customization. Component Architecture The StarterKit’s architecture is modular, with each component serving a specific purpose. The main components are:\nApp: The root component that wraps everything within the ThemeWrapper. QuickStarter: Serves as the primary layout component, including the Header and PageLayout. Header: Contains the app bar with theme toggle and user information. PageLayout: Organizes the SideNav and the main Content. Content: The central area where the application’s main content is displayed. ConnectionModal: A modal dialog for connecting to a Neo4j database. Driver: Small utility class to connect to/disconnect from a Neo4j database. How to Use the StarterKit Installation To get started, ensure you have a Neo4j DB up and running. The easiest way to get this done is by starting a free Neo4j instance on Neo4j Aura, Sandbox, or Desktop (see the additional resources section at the end of this article).\nThen, all you need to do is clone the repository and install the dependencies:\n1 2 npm i npm run dev Code Snippets Here are some key components of the Starter kit:\nApp Component (App.tsx) 1 2 3 4 5 6 7 function App() { return ( \u0026lt;ThemeWrapper\u0026gt; \u0026lt;QuickStarter /\u0026gt; \u0026lt;/ThemeWrapper\u0026gt; ); } The main App is pretty simple. We have our ThemeWrapper (which enables us to have the light/dark mode theme applied to every component of our app without having to apply it everywhere) and the QuickStarter component, which is our main app (composed of the Header and Layout components)\nLight/Dark mode (Header.tsx) 1 2 3 4 5 6 7 8 9 10 11 \u0026lt;IconButton clean size=\u0026#34;large\u0026#34; onClick={themeUtils.toggleColorMode}\u0026gt; {theme.palette.mode === \u0026#34;dark\u0026#34; ? ( \u0026lt;span role=\u0026#34;img\u0026#34; aria-label=\u0026#34;sun\u0026#34;\u0026gt; \u0026lt;SunIconOutline /\u0026gt; \u0026lt;/span\u0026gt; ) : ( \u0026lt;span role=\u0026#34;img\u0026#34; aria-label=\u0026#34;moon\u0026#34;\u0026gt; \u0026lt;MoonIconOutline /\u0026gt; \u0026lt;/span\u0026gt; )} \u0026lt;/IconButton\u0026gt;; The selection of light/dark mode is done in the Header component through the toggle click that triggers the setMode in the ThemeWrapper, which then applies/injects the required classes based on the selected mode. You can then access the current mode in any child by using: theme.palette.mode\nDriver (Driver.tsx) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 export async function setDriver (connectionURI, username, password){ try{ driver = neo4j.driver(connectionURI, neo4j.auth.basic(username, password)) const serverInfo = await driver.getServerInfo() localStorage.setItem(\u0026#34;neo4j.connection\u0026#34;, JSON.stringify({\u0026#34;uri\u0026#34;:connectionURI, \u0026#34;user\u0026#34;:username, \u0026#34;password\u0026#34;:password})) return true } catch (err){ console.log(`Connection error\\n${err}\\nCause: ${err.cause}`) return false } } export async function disconnect (){ try{ driver.close(); return true; } catch (err){ console.log(`Disconnection error\\n${err}\\nCause: ${err.cause}`) return false } } The Driver util is composed of 2 functions:\nsetDriver: Takes a Neo4j URI, username, and password to create a driver connection to Neo4j. If successful, save the connection details to the localStorage (for future auto-login) and return true. If the connection fails, return false and log an error with the details.\ndisconnect: Close the current driver or return an error.\nAuto-login (Content.tsx) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 useEffect(() =\u0026gt; { if (!init) { let session = localStorage.getItem(\u0026#34;neo4j.connection\u0026#34;); if (session) { let neo4jConnection = JSON.parse(session); setDriver( neo4jConnection.uri, neo4jConnection.user, neo4jConnection.password ).then((isSuccessful: boolean) =\u0026gt; { setConnectionStatus(isSuccessful); }); } setInit(true); } }); The auto-login feature is done through a useEffect hook on the Content component. When the page is initialized, we check if there is a connection saved in the localStorage. If one is found, we use it to make a connection to the Neo4j DB. The connection status is then accessible through the state: connectionStatus, making it easy to separate the content you want to display if a Neo4j connection is made or not:\n1 2 3 4 5 6 7 { !connectionStatus ? ( \u0026lt;\u0026gt;Not connected content goes here\u0026lt;/\u0026gt; ) : ( \u0026lt;\u0026gt;Connected content goes here\u0026lt;/\u0026gt; ); } Connection (ConnectionModal.tsx) 1 2 3 4 5 6 7 function submitConnection() { const connectionURI = selectedProtocol + \u0026#34;://\u0026#34; + hostname + \u0026#34;:\u0026#34; + port; setDriver(connectionURI, username, password).then((isSuccessful) =\u0026gt; { setConnectionStatus(isSuccessful); }); setOpenConnection(false); } The connection component is a simple modal that submits the Neo4j URI, username, and password entered by the user to the Driver util we saw earlier.\nConclusion In conclusion, the Neo4j Needle StarterKit is an excellent starting point for developers looking to build applications with Neo4j. Its responsive design, theme flexibility, and modular architecture make it a versatile and user-friendly choice.\nIf you encounter issues or have any feedback on this starter kit, please feel free to:\nReach out on our Neo4j Discord or our community forum. Create git issues or PR. What Next? Now that you’re familiar with the basics of the template, it’s time to explore the possibilities this opens for you. Here are some ideas and directions you can take as simple next steps:\nRun your first Cypher query through the driver with a callback function. When you receive the data, display it as a text or table. From the step above, let’s make it a bit more visual by using a visualization library and rendering your graph data in your app. Enhance the application security by adding an authentication mechanism. ","date":"2023-11-08T00:00:00Z","image":"https://www.morgansenechal.com/p/needle-starterkit-the-ultimate-tool-for-accelerating-your-graph-app-projects/assets/FeaturedImg_hu762bb7a220c7aa079bcd6fbf02f979e5_417360_120x120_fill_q75_box_smart1.jpg","permalink":"https://www.morgansenechal.com/p/needle-starterkit-the-ultimate-tool-for-accelerating-your-graph-app-projects/","title":"Needle StarterKit: The Ultimate Tool for Accelerating Your Graph App Projects"},{"content":"\nIn your journey to exploring graph databases and getting valuable information, you will want to move your graph into production and share access to your graph with colleagues.\nYou might need to configure Single Sign-On (SSO) for security reasons and internal policies. This post will guide you through everything you need to know to configure and access your Neo4j graph with SSO authentication and authorization for both user applications (Neo4j Browser, Bloom, Neodash, …) as well as a backend service (which can be your ETL pipeline, GDS batches, etc.).\nIntroduction What you’ll learn in this article Let’s make a small demo based on an SSO integration. The data model is pretty simple. We have 3 Organization nodes, each in a specific region (EMEA, US, and APAC). Each of the organizations has an employee with a property: name.\nWe are going to have 2 users connecting to our application:\nAn end user based in EMEA (will be determined by a group assignment on the Azure Active Directory (AAD)) who can only see data for his region A technical user (or Service Principal) that can read and write anything in our graph from a backend service That sounds fun, right? Now let’s see how we can make this work:\nSection 1: We will have a high-level introduction to what SSO is and what we get from the integration with Neo4j. Section 2: We will setup both AAD and Neo4j to enable SSO authentication for end users. Section 3: We will setup both AAD and our backend service to enable SSO for a technical account (Service Principal). Section 4: We will put everything together with Neo4j Role Base Access Control (RBAC). And finally, this is what our simplified SSO flows will look like:\nPrerequisites and Assumptions For this post, we will focus on setting up SSO OpenID Connect (OIDC) for Neo4j Browser and a small Python script as the backend, both using Access Token. We will use Microsoft Azure Active Directory (AAD) as the IdP and use application roles for authorization and data access control.\nAlthough integration with other IdPs (Okta, Google Auth, \u0026hellip;), using different types of tokens, and separating the user apps and backend service in different Apps on the IdD and other architectures are possible, they can’t all be covered in one post.\nBefore diving into the technical details, ensure you have:\nRequired permissions on your IdP to create applications, users, and groups. A Neo4j Database up and running. Section 1: Understanding SSO and Neo4j Integration What Is Single Sign-On (SSO)? Single Sign-On (SSO) is an authentication mechanism that allows users to access multiple applications or services with a single set of credentials. It eliminates the need for users to remember and enter separate usernames and passwords for each application. SSO enhances user experience, reduces friction, and improves security by centralizing authentication.\nEnd User vs. Technical Account SSO End User: Enables seamless access for human users by allowing them to log in once and access multiple services without repeated authentication.\nTechnical Account/Service Principal: Facilitates automated, programmatic access for applications and services, enhancing security and enabling controlled resource interaction.\nBenefits of SSO integration With Neo4j Unified User Experience: Users can access Neo4j and other applications with a single set of credentials, streamlining their interactions and reducing login fatigue. Centralized Identity Management: Neo4j can delegate authentication to a trusted Identity Provider (IdP), reducing the complexity of managing user accounts. Enhanced Security: With SSO, Neo4j can rely on the IdP’s security mechanisms, such as multi-factor authentication, for an added layer of protection. RBAC Integration: SSO allows for efficient Role-Based Access Control (RBAC) implementation, leveraging roles assigned by the IdP for Neo4j’s access controls. Now that we know what SSO and Neo4j are and what benefits we can leverage with the integration, let’s get our hands dirty!\nSection 2: Setting Up the SSO for User Apps Azure Active Directory (AAD) Configuration The first thing we need to do is create an Enterprise Application on AAD. To do so, head over to https://portal.azure.com and go to the AAD service (from this screen, note your Tenant ID as we will need it later for the Neo4j configuration). On the left menu, click on Enterprise Applications and create a new application.\nOn the top, select Create your own application and give it a name. For this example, I will call it “Neo4jSSO” (make sure to select Register an application to integrate with Azure AD, which will trigger the registration of the application).\nSelect the supported account type that fits your needs. For this example, I will only allow accounts in my organization. We can then set the redirect URI, which is mandatory for the Neo4j tools (Browser, Bloom, …).\nThe type for Neo4j Browser is a Single Page Application, and your redirect URI should look like this:\n1 http://localhost:7474/browser/?idp_id=azure\u0026amp;auth_flow_step=redirect_uri Replace http://localhost:7474/browser/ according to your server. This must be your Neo4j Browser URL. Replace azure in the second part to reflect the IdP ID you want to give for this setup. This can be anything, but it will need to match the ID you provide in the Neo4j configuration in the next section. Next, we will configure our application to create a custom scope and therefore restrict access protected by the API. To configure the application, select Single Sign-On on the left menu, then Go to application.\nFrom there, We can note a couple of things that are going to be required for the Neo4j configuration:\nYour Application (client) ID in the essentials card. This is usually a set of 5 UIDs separated by a — Your OpenID Connect metadata document (aka Well Known Discovery). You can obtain it by clicking on Endpoints at the top. :warning: If you want to enable SSO for other tools than just Neo4j Browser, simply click on Authentication on the left menu, and add the Redirect URIs for each of your applications.\nTo create the scope, head over to Expose an API on the left menu, then click on Add a scope and keep it to the default value, which should be your application ID.\nOn the next screen, give your scope a name. For my example, I will name it Neo4jToken. Give an accurate description and display name, then add the scope. Now we need to authorize the client application by adding the application as per the screen below:\nThe last step to enable the API is to give it the required permissions. Select API Permissions on the left menu, then + Add a permission and search for your App name in the APIs my organization uses. On the next screen, give the permission for the scope we just created, add permissions, and finally Grant admin consent for the added permission.\nFinally, before we move into the Neo4j configuration, make sure to check that the accessTokenAcceptedVersion property in the manifest is set to 2. This is required because we will be using the v2 endpoints and will be using custom-mapped claims for the backend configuration later.\nNeo4j Configuration Now let’s dive into the Neo4j configuration so we can test the SSO Authentication from Neo4j Browser.\n1 2 3 4 5 6 7 8 9 10 11 12 13 dbms.security.authentication_providers=oidc-\u0026lt;idp-id\u0026gt;,native dbms.security.authorization_providers=oidc-\u0026lt;idp-id\u0026gt;,native dbms.security.oidc.\u0026lt;idp-id\u0026gt;.display_name=\u0026lt;display-name\u0026gt; dbms.security.oidc.\u0026lt;idp-id\u0026gt;.well_known_discovery_uri=\u0026lt;well-known-discovery\u0026gt; dbms.security.oidc.\u0026lt;idp-id\u0026gt;.auth_flow=pkce dbms.security.oidc.\u0026lt;idp-id\u0026gt;.config=principal=\u0026lt;user-claim\u0026gt;;code_challenge_method=S256 dbms.security.oidc.\u0026lt;idp-id\u0026gt;.claims.username=\u0026lt;user-claim\u0026gt; dbms.security.oidc.\u0026lt;idp-id\u0026gt;.audience=\u0026lt;audience\u0026gt; dbms.security.oidc.\u0026lt;idp-id\u0026gt;.params=client_id=\u0026lt;client-id\u0026gt;;response_type=code;scope=openid profile email \u0026lt;api\u0026gt; dbms.security.oidc.\u0026lt;idp-id\u0026gt;.claims.groups=roles \u0026lt;idp-id\u0026gt;: This must be the same as the value you provided earlier in the redirect URI. In my example, this will be azure \u0026lt;display-name\u0026gt;: This will be the name displayed on the SSO button when opening Neo4j Browser. In this example, I will use SSO Login \u0026lt;well-known-discovery\u0026gt;: This is the Well Known Discovery we saved earlier. Usually in the form of https://login.microsoftonline.com/your-tenant-id/v2.0/.well-known/openid-configuration \u0026lt;user-claim\u0026gt;: The claim you want to use for the username. In this example, I will use preferred_username \u0026lt;audience\u0026gt;: The audience of the token. Usually for the v2, this will be the same as your Client Application ID \u0026lt;client-id\u0026gt;: The Client Application ID we saved earlier \u0026lt;api\u0026gt;: This is the API we created earlier. In this example it was api://client-id/Neo4jToken Note that by default Neo4j configuration file already contain a line for the authentication_providers and authorization_providers, which can lead to errors when starting Neo4j if you have duplicates of these settings. Make sure to comment or remove them as shown below:\n1 2 #dbms.security.authentication_providers=native #dbms.security.authorization_providers=native And voila! You should now be able to start (or restart) your Neo4j database and login with SSO. Make sure to check that your username is correct.\nSection 3: Implementing SSO for a Backend Service Azure Active Directory (AAD) Configuration In order to allow our backend to connect to Neo4j using SSO we need to create a technical account (aka Service Principal) that will be used by our script. For this example, we will use a client secret to get a token on behalf of our application.\nHead over to the Certificates \u0026amp; secrets on the left menu, then click on New client secret. Give the client\u0026rsquo;s secret a description and an expiration.\nDon’t forget to copy the Value (not the Secret ID) as this only appear once and we will need it for our backend script.\nNext, we need to create an application role so that we can later assign it to our ServicePrincipal. To do this, select App roles on the left menu and click on Create app role. Enter the display name you want, select Both (Users/Groups + Applications) as the allowed member types, and provide a value. For this example, I will give my technical user the Architect role.\nWe now need to give the API permission for this new application role. This is done in the same way as we did before by going to API Permissions then Add a permission =\u0026gt; APIs my organization uses =\u0026gt; YourApp =\u0026gt; Application permissions and select the new role you created above.\nDo not forget to grant admin consent. This should result in something similar to the screen below:\nThe final couple of steps we need to do on the Azure AD is to assign the role to our ServicePrincipal and create a custom claim. Custom claims are claims we can add to our token for which we can define the value with a custom mapping, transformation, or fixed value.\nBefore we move out of the application, make sure to go to the manifest and check that the value of acceptMappedClaims is true (default is null) and save if you need to make the change.\nTo Create the custom claim as well as assign the role to our ServicePrincipal, we need to go back to the EnterpriseApplication view (Home =\u0026gt; Azure Active Directory =\u0026gt; Enterprise Applications =\u0026gt; YourApp).\nFrom the left menu, select Users and groups. From there, you should see your ServicePrincipal. Select it and Edit assignment. Click on Select a role from the right menu. You should be able to see and select your application role. You should now have your application role assigned to your ServicePrincipal as below:\nFinally, we need to create a custom claim for our ServicePrincipal since this is not a real user. It does not contain a username claim such as preferred_username, email, etc. To create a custom claim, Select Single Sign-On from the left menu and click on Edit in the Attributes \u0026amp; Claims card.\nFrom there, let’s add a new claim. For this example, I will name it myCustomUsername and select Transformation as the Source so we can map an attribute or value depending on a condition. For this demo, I will map the user’s email, and for our ServicePrincipal, I will set a default “Neo4jServicePrincipal” but you can use other types of transformation or custom claims.\nNow let’s move into the Neo4j configuration as there are a few changes we need to make so it can accept our Service Principal token.\nNeo4j Configuration From the configuration we made in Section 2, we need to change the new username claim (the custom claim we created in the previous step):\n1 2 dbms.security.oidc.\u0026lt;idp-id\u0026gt;.config=principal=\u0026lt;user-claim\u0026gt;;code_challenge_method=S256 dbms.security.oidc.\u0026lt;idp-id\u0026gt;.claims.username=\u0026lt;user-claim\u0026gt; In the previous step, I created a custom claim named myCustomUsername. This will be my new value for . Additionally, you can use the group_to_role_mapping if you want to map your new role to a specific role in your Neo4j Database. (note that this is optional).\nBackend Service GitHub - msenechal/SSO-clientCredentials: SSO-clientCredentials\nFor this example, I will be using a Python script (available in the GitHub repository above). In this script, we will acquire a user token from Azure and use that token to authenticate to Neo4j. The repo also contains a Nodejs version, but you can achieve the same with any other language as long as there is a Neo4j driver available and you can acquire a token from client credentials.\nThe script is pretty simple:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 import sys import json import base64 import msal from neo4j import GraphDatabase, bearer_auth config = json.load(open(sys.argv[1])) app = msal.ConfidentialClientApplication( config[\u0026#34;client_id\u0026#34;], authority=config[\u0026#34;authority\u0026#34;], client_credential=config[\u0026#34;secret\u0026#34;], ) result = app.acquire_token_for_client(scopes=config[\u0026#34;scope\u0026#34;]) if \u0026#34;access_token\u0026#34; in result: with GraphDatabase.driver(config[\u0026#34;NEO4J_URI\u0026#34;], auth=bearer_auth(result[\u0026#39;access_token\u0026#39;])) as driver: driver.verify_connectivity() records, summary, keys = driver.execute_query( \u0026#34;MERGE (p:Person {name:\u0026#39;ServicePrincipal\u0026#39;, type:\u0026#39;servicePrincipalSSO\u0026#39;, app:\u0026#39;python\u0026#39;}) RETURN p\u0026#34;, database_=\u0026#34;neo4j\u0026#34;, ) else: print(result.get(\u0026#34;error\u0026#34;)) print(result.get(\u0026#34;error_description\u0026#34;)) print(result.get(\u0026#34;correlation_id\u0026#34;)) First, we are reading the AAD config from a json file passed as a parameter when you run the Python script:\n1 config = json.load(open(sys.argv[1])) Then we use the MSAL library to get a token from client credentials:\n1 2 3 4 5 6 app = msal.ConfidentialClientApplication( config[\u0026#34;client_id\u0026#34;], authority=config[\u0026#34;authority\u0026#34;], client_credentia=config[\u0026#34;secret\u0026#34;], ) result = app.acquire_token_for_client(scopes=config[\u0026#34;scope\u0026#34;]) And finally, this last part is connecting to Neo4j using the Access Token and creating a node Person (We won’t be using it, but this is so we can test both the authentication and authorization) in the graph with a few properties:\n1 2 3 4 5 6 with GraphDatabase.driver(config[\u0026#34;NEO4J_URI\u0026#34;], auth=bearer_auth(result[\u0026#39;access_token\u0026#39;])) as driver: driver.verify_connectivity() records, summary, keys = driver.execute_query( \u0026#34;MERGE (p:Person {name:\u0026#39;ServicePrincipal\u0026#39;, type:\u0026#39;servicePrincipalSSO\u0026#39;, app:\u0026#39;python\u0026#39;}) RETURN p\u0026#34;, database_=\u0026#34;neo4j\u0026#34;, ) If all goes well, you can execute by running:\n1 python python/main.py params.json And you should now see this new node in your Neo4j graph, created by the Python script using client credentials SSO, as well as this entry in the security.log from Neo4j:\nINFO [Neo4jServicePrincipal]: logged in\nNow, although all of this is awesome, let’s take a step further and play with the roles we get from Azure AD to restrict access and permissions on the graph!\nSection 4: Putting It All Together With RBAC Role Based Access Control in Neo4j 4.1\nNeo4j RBAC, or Role-Based Access Control, is a security mechanism implemented to control and manage user access to specific data and operations within the database.\nAzure Active Directory (AAD) Configuration For this to work, we will need to assign a role to our end user so we can restrict his access based on his role. For this example, I will assign myself the role “EMEA” and keep the role architect for the Service Principal. This way, with the same query, I will only be able to see Tom, where the backend should see all employees.\nTo assign the “EMEA” role, we simply need to re-do the exact same steps we did in Section 3 when we created the role “architect” and assigned it to the Service Principal. In short: Head to the AAD application, create an app role, give the right permission on the API and assign the new role to your user on the Enterprise Application screen.\nNeo4j Graph First, we need to create the role EMEA so we can assign the right permissions. The Cypher script below :\n(optional) Clean the DB. Create the role. Give access to the Neo4j DB, give permission to MATCH any node with the label EMEA and give permission to traverse the relationship HAS_EMPLOYEE to the role EMEA. Create the graph. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 // 1. Make sure the DB is empty // Uncommenting the line below will delete everything in your database // MATCH (n) DETACH DELETE n; // 2. Create the EMEA Role CREATE ROLE EMEA; // 3. Grant access to the DB as well as match on the EMEA nodes + relationship GRANT ACCESS ON DATABASE `neo4j` TO EMEA; GRANT MATCH {*} ON GRAPH `neo4j` NODE EMEA TO EMEA; GRANT TRAVERSE ON GRAPH neo4j RELATIONSHIPS HAS_EMPLOYEE TO EMEA; // 4. Create the graph CREATE (:Organization:EMEA)-[:HAS_EMPLOYEE]-\u0026gt;(:Person:EMEA {name: \u0026#34;Tom\u0026#34;}), (:Organization:US)-[:HAS_EMPLOYEE]-\u0026gt;(:Person:US {name: \u0026#34;Sabrina\u0026#34;}), (:Organization:APAC)-[:HAS_EMPLOYEE]-\u0026gt;(:Person:APAC {name: \u0026#34;Lee\u0026#34;}); For this example, we will be using this simple match query, returning the name of the employees.\n1 MATCH (o:Organization)-[:HAS_EMPLOYEE]-\u0026gt;(p:Person) RETURN p.name Trying It Out! Backend In this example, our Service Principal has the architect role, meaning he should be able to access and read data from the entire graph. Using the same Python script as we used in Section 3, we can simply update the Cypher query and print the result to stdout:\n1 2 3 4 5 records, summary, keys = driver.execute_query( \u0026#34;MATCH (o:Organization)-[]-\u0026gt;(p:Person) RETURN p.name\u0026#34;, database_=\u0026#34;neo4j\u0026#34;, ) print(records) Result:\n\u0026lt;Record p.name=’Tom’\u0026gt;, \u0026lt;Record p.name=’Sabrina’\u0026gt;, \u0026lt;Record p.name=’Lee’\u0026gt;\n🎉 We can see all 3 employees as expected.\nUser App (Neo4j Browser) Using the previously created SSO integration, I can connect to Neo4j Browser with my user and get the role “EMEA” we assigned on Azure earlier. With the same Cypher query, we should now only see Tom:\nTada 🎉\nWhat Next? Although this was a fun demo to make and demonstrate all the potential of an SSO integration with Neo4j, we can still take a step further and extend it by adding Bloom or Neodash with SSO to have a user-friendly visualization dashboard accessible through the seamless authentication process.\nIn this demo, we had 2users: 1 user with the EMEA role and one technical account who can access everything. As a next step and a good way to test what you learned in this post, I suggest you try to add 2 users to your IdP, one with the role US and another with the role APAC and make sure all 3 users (EMEA, US, and APAC) can only see their region’s data 🤓\nFor enterprises looking to elevate their security, we can also enable multi-factor authentication and much more. The possibilities are endless!\nWrapping Up This was only a short post explaining and showing the strength of an SSO OIDC integration with Neo4j and RBAC. The implementation can differ depending on different factors such as your architecture, environment, customization, SSO protocol (OIDC, SAML, …) and so on.\nIf you encounter issues while setting up SSO with Neo4j, Neo4j user apps (Browser, Bloom, Workspace, Aura,…), NeoDash, and others, here are a few key things you can look at:\nRead the official Neo4j/Neodash documentation linked below on how to configure SSO. Read your IdP (AAD, Okta, …) documentation on setting up SSO. Reach out on our Neo4j Discord or our community forum. For customers, you can also create a support ticket on our support. Additionally, if you need one of our experts you can consult our website Neo4j Professional Services or reach out directly at ps_emea_pmo@neotechnology.com. ","date":"2023-08-17T00:00:00Z","image":"https://www.morgansenechal.com/p/how-to-integrate-neo4j-with-sso-on-azure-one-login-to-rule-them-all/assets/Diagram_hub5de8ebbbc28a6eb27948e20f5bcb2a0_247988_120x120_fill_box_smart1_3.png","permalink":"https://www.morgansenechal.com/p/how-to-integrate-neo4j-with-sso-on-azure-one-login-to-rule-them-all/","title":"How to Integrate Neo4j With SSO on Azure — One Login to Rule Them All"}]