Add SSO support

[antepusic]

Description

This module adds Memgraph-side support for SSO.

[master < Task] PR

• Provide the full content or a guide for the final git message

  Add SSO support

CI Testing Labels

Please select the appropriate CI test labels (CI -build=build-name -test=test-suite)

Documentation checklist

• Add the documentation label tag
• Add the bug / feature label tag
• Add the milestone for which this feature is intended
  • If not known, set for a later milestone
• Write a release note, including added/changed clauses
  • [Release note text]
• Link the documentation PR here
  • [Documentation PR link]
• Tag someone from docs team in the comments

[andrejtonev]

Looks good.
Would just like to go over it with you. I think we could combine the two authentication implementations into one.

[andrejtonev]

This function seems very similar to the authentication via module.
Can we reuse the code somehow?

[antepusic]

I’ve extracted the code shared between the two into methods of their own.

[andrejtonev]

Communicate why the authentication failed to the user.

[antepusic]

Superseded (this code is now the same as before)

[andrejtonev]

Aren't we disabling userless logins when using SSO?

[antepusic]

Done

[andrejtonev]

I would like to combine the Authenticate and SSOAuthenticate into a single function.
Don't really see why they should be separate.

[antepusic]

The two methods have now become significantly different

[andrejtonev]

Perhaps we need to sync again.
The last product meeting changes the logic quite a bit. Not sure we are all on the same page.

[andrejtonev]

Can we rename status to module_name or something similar?

[antepusic]

Done

[andrejtonev]

I am not sure that gflags supports arguments with spaces.
Something like --flag arg1 arg2 should generate the flag's value only to "arg1".

[antepusic]

You’re right about gflags (and environment variables are like this in general), but this works when the environment variable is set as a string, e.g. --auth-module-mappings="test-admin: admin; test-reader: reader". I’ve corrected the description to clarify that.

[andrejtonev]

What is a basic module?

[antepusic]

Basic authentication is the auth scheme that takes a username and a password.

The scheme basic requires a username principal::String and a password credentials::String

– https://neo4j.com/docs/bolt/1.0/bolt/message/#messages-logon

By analogy, modules marked with basic in the scheme → module mapping handle authentication that takes an username + password and sends them to an external module. This covers LDAP.

[andrejtonev]

Is this correct?
We need to support multiple authentication schemes and a native authentication.
The user will write something like auth_enable: auth1, auth2, native.
We should disable the users and local authentication only if the native authentication is missing, not if we are using any module.

[andrejtonev]

Just a bit more context for this.
Currently memgraph supports or a native authentication or one via a module.
That is why some functionalities are disabled when the module is active.
We now need to enable those feature, but only for users that have been authorized via the native method.

[andrejtonev]

For example, we do not want to handle any user data locally when a user is authorized via a module. Meaning that we send over the username/password or certificate and get back a role. This role is then used for the authorization.
Currently when updating a role or user, we check to see if we are using a module and allow only role updates in that case.
We also disable crating/deleting a user when we are using a module.
All of these things should be re-enabled, even if we are using a module.

[andrejtonev]

We support native auth, and allow the user to change it as they need.
The only this the module influences is the order the authentication is tried and if a connection can be authenticated using the native auth.

If something is not clear, we can jump on a call :D

[antepusic]

Thanks for the detailed explanation! I’ve applied your suggestions so that users logged in via module can modify Memgraph-internal user data, e.g. run CREATE USER or SHOW USERS.

[andrejtonev]

Can we generalize the module call and response check?
Basically have a function that takes in the params and scheme and executed everything else.

[antepusic]

Good idea

[andrejtonev]

Do you need this check?
Shouldn't the ModuleMappingsToMap return an empty set either way?

[antepusic]

That’s true – I just wanted to avoid calling the function if there’s no need

[andrejtonev]

We are supporting only a single module per scheme?

[antepusic]

That’s correct (and appropriate because the schemas are granular, e.g. it’s "saml-entra-id" and not just "saml"/"entra-id").

[andrejtonev]

@tonilastre does this cover all the use-cases you're interested in?
I know you were talking about having multiple LDAP modules. Could all those also be defined in this way?

[tonilastre]

Just to confirm the above re scheme, the scheme contains both the protocol and identity provider, so it is a single module per scheme.

Re: LDAP, not sure because I haven't worked with that + Memgraph.

[andrejtonev]

How are we enabling/disabling the native auth?

[antepusic]

Memgraph receives user credentials from Bolt’s LOGON/HELLO messages, and uses native auth or SSO depending on the value of the scheme field.

There’s no ambiguity as to whether native auth or SSO is used:

• SSO → Memgraph Lab sends messages with SSO-specific values, e.g. "saml-okta".
• Native auth → the scheme field is always "basic" (see Bolt Protocol message specification).

[andrejtonev]

We should allow both LDAP and/or native auth.
Their order should be the order the user defined in the argument list.

[antepusic]

The LDAP module is indexed with "basic" while processing the flags (see also #1990 (comment)), i.e. we support them both.

As for auth method ordering, we’ve avoided that (see meeting note: https://www.notion.so/memgraph/2024-04-30-SSO-Lab-Core-Sync-2-ccb4755e30be4cebb8beb7d7cc16f77d?pvs=4#8eab766c1ecd457d8a6c8cd18849b298)

[andrejtonev]

!modules_.contains("basic") is ambiguous.
How are we suppose to disable or enable both?

[antepusic]

@andrejtonev Thank you for the review!

Perhaps we need to sync again. The last product meeting changes the logic quite a bit. Not sure we are all on the same page.

In light of that meeting, I’ve updated the spec (changes in green) and we can sync together.

[andrejtonev]

@gitbuda are you okay with us enabling all native auth functionalities even when modules are used?
What I mean specifically is that any modifications to the native auth data is disable when we run modules. This made sense when the modules would modify the data. We disabled that some time ago.
We now need to allow both native and module authentication. I think we can allow the user to change the native user data at any time (even when the native auth is disabled).

[andrejtonev]

@tonilastre does this cover all the use-cases you're interested in?
I know you were talking about having multiple LDAP modules. Could all those also be defined in this way?

[andrejtonev]

!modules_.contains("basic") is ambiguous.
How are we suppose to disable or enable both?

[tonilastre]

@tonilastre does this cover all the use cases you're interested in?
I know you were talking about having multiple LDAP modules. Could all those also be defined in this way?

@andrejtonev, regarding this: I am sure about LDAP, but SSO + native is something that is used often. When you have a database running you want to establish an SSO provider connected with your directory of employees who can access the database (e.g. analysts, data engineers, etc), but there will be some internal applications where you can't set up an SSO for it, so applications will need a native auth (API key = username, API secret = password).

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud