Putting some Gravitee into Neo4j — Part I — on your marks, get set …
--
Preamble
I remember a time when Single Sign On (SSO) was just a technical possibility. Often vaguely formulated as a goal in one of those next generation corporate plans but almost immediately ditched when those plans became concrete. And a downright laughable idea from the point of view of application and database security, where the technical user ruled supreme.
And then the financial crisis of 2008 struck. Suddenly it became quite important to have end-to-end accountability and not just a correlation of events.
Things didn’t change overnight, but when I visited the IT headquarters of a big Swiss bank in 2018 … they had gone completely password-less, I even needed my assigned smart badge to visit the toilet! Any software that was to make it onto the bank’s shelves had to integrate into to system. Databases included.
Enter Neo4j’s view on SSO. For the longest time that was limited to an extra Kerberos plugin. Clearly an afterthought created for a couple of specific customers. It only works for applications connecting to the database too, the default clients such as Neo4j Browser, Bloom & Cypher shell can’t use it. If a customer — like said bank — needed SSO, the Neo4j Professional Services team built a custom solution.
The new 4.4 release (the LTS version of the Neo4j 4 releases) adds SSO in the main product. While it’s still early days, I wanted to grab the opportunity to try it out for myself …
I’m a decent system administrator (if I say so myself), I can find my way around the main cloud platforms and manage infrastructure on all. And as a member of the Neo4j EMEA Field Team I can set up the database blindfolded if I have to. Yes, yes, with SSL certificates and all that too. Not a problem. That’s only half of the setup though. You need an identity provider. You need something that provides the SSO flow, the dance of codes and tokens (that I myself only half understand) between the identity provider and the database …
Enter Gravitee. Gravitee is a platform that provides API management and Access Management. And this latter component provides exactly the something I’m describing above. Not only is this convenient for my experiments, Gravitee is FAPI certified … not a toy in other words.
Goal
For my first experiment I am going to set up an SSO solution for the Neo4j Browser access to a Neo4j Enterprise Edition database. The identity provider will be the default one that Gravitee provides itself. I’ll address integrating another identity provider in Part IV of this series.
Setup
- Machine. I’m going with a single AWS r5ad.large instance. Quite sufficient for an experiment, in production you go with a different machine for each of the components.
- DNS name. While this and the next item on the list may sound like overkill for an experiment, plain ips, basic http and self signed certificates really don’t cut the mustard here. In fact I found it a lot easier to get things to work if I used what you would use in production.
- Certificate matching the DNS name. LetsEncrypt is totally fine, I went with ZeroSSL.
- License for Neo4j Enterprise Edition. This can be a trial license, a startup license … it doesn’t matter, but as the Community Edition is not enough here, a license is needed.
Next up
Part II covers the installation and setup of Gravitee.
Part III covers the installation and setup of Neo4j.
(future) Part IV covers plugging in Google as an identity provider.
(future) Part V covers setting up and plugging in an LDAP directory as the identity provider.
