Single sign-on (SSO)

Single sign-on (SSO)

Single sign-on (SSO) is a Memgraph enterprise feature that provides authorization and authentification to your database.

Memgraph supports two types of SSO methods - OpenID Connect (OIDC + OAuth 2.0) and SAML, and two identity providers - Microsoft Azure (Entra ID) and Okta. To set up SSO on Memgraph Lab, you must configure the appropriate environment variables.

💡

Single sign-on is not supported on the desktop version of Memgraph Lab.

OpenID Connect (OIDC)

The setup of OIDC (which includes OAuth 2.0) is done by setting two pairs of different environment variables. One set is for Microsoft Entra ID, and a separate set of environment variables should be assigned for Okta.

Entra ID

To set up OIDC for Microsoft Azure, follow the official guide (opens in a new tab) and register an application (opens in a new tab).

To enable OIDC for the Microsoft Entra ID identity provider, make sure to assign the following environment variables when hosting Memgraph Lab:

AUTH_OIDC_ENTRA_ID_IS_ENABLED=true
AUTH_OIDC_ENTRA_ID_DISPLAY_NAME='Entra ID'
AUTH_OIDC_ENTRA_ID_AUTHORIZATION_URL=
AUTH_OIDC_ENTRA_ID_TOKEN_URL=
AUTH_OIDC_ENTRA_ID_USER_INFO_URL=
AUTH_OIDC_ENTRA_ID_CLIENT_ID=
AUTH_OIDC_ENTRA_ID_CLIENT_SECRET=
AUTH_OIDC_ENTRA_ID_CALLBACK_URL=.../auth/providers/oidc-entra-id/callback
AUTH_OIDC_ENTRA_ID_SCOPE=openid

The empty values can be found on the Azure dashboard under the created app registration.

Okta

To set up OIDC for Okta, follow the official guide (opens in a new tab) and make sure to set up a custom authorization server (opens in a new tab).

To enable OIDC for the Okta provider, make sure to assign the following environment variables when hosting Memgraph Lab:

AUTH_OIDC_OKTA_IS_ENABLED=true
AUTH_OIDC_OKTA_DISPLAY_NAME='Okta'
AUTH_OIDC_OKTA_ISSUER=xxx.okta.com
AUTH_OIDC_OKTA_AUTHORIZATION_URL=https://${AUTH_OIDC_OKTA_ISSUER}/oauth2/v1/authorize
AUTH_OIDC_OKTA_TOKEN_URL=https://${AUTH_OIDC_OKTA_ISSUER}/oauth2/v1/token
AUTH_OIDC_OKTA_CLIENT_ID=
AUTH_OIDC_OKTA_CLIENT_SECRET=
AUTH_OIDC_OKTA_CALLBACK_URL=xxx/auth/providers/oidc-entra-id/callback
AUTH_OIDC_OKTA_SCOPE=openid

The empty values can be found on the Okta admin panel dashboard under the created app.

SAML

You can integrate Single sign-on (SSO) using SAML protocol for Microsoft Entra ID and/or Okta. Check the details for each identity provider down below.

Entra ID

The setup consists of two steps: creating a new app registration through the Microsoft Entra ID portal and then filling out the Lab environment variables for a complete integration.

Register new application

On the Microsoft Entra ID portal, make sure to create a new App registration. You will need to fill out the application name and the redirect URI. The type of the redirect URI should be "Web" and the value should be in the form: <protocol>://<lab host>:<lab port>/auth/providers/saml-entra-id/callback. If your Lab is on localhost:3000, then the full URL is http://localhost:3000/auth/providers/saml-entra-id/callback. If your Lab is deployed on some other domain (e.g. my.domain.com with SSL) then the URL should be https://my.domain.com/auth/providers/saml-entra-id/callback.

Note: A value for the "Redirect URI" field will be the same one for the Lab environment variable AUTH_SAML_ENTRA_ID_CALLBACK_URL.

Check the screenshot below for a reference.

If you already have an app registration, just make sure to add a new Redirect URI to your existing app registration.

Set up Lab integration

Once the app registration is ready, you have all the required values for a full integration. You will need two fields:

  • Application (client) ID - shown in the app "Essentials" list.
  • SAML sign-on endpoint - shown in the list after you click on "Endpoints".

To configure the Lab for the Entra ID SSO SAML integration, make sure to fill out the following environment variables:

Required:

  • AUTH_SAML_ENTRA_ID_IS_ENABLED=true - to enable SAML via Entra ID. The default is false.
  • AUTH_SAML_ENTRA_ID_ENTRY_POINT=https://... - value from the "SAML sign-on endpoint" on in the "Endpoints" list. The entry point usually ends up with .../saml2, e.g. https://login.microsoftonline.com/651mem6g-25ra-4ph2-me52-23mg24r906aph/saml2.
  • AUTH_SAML_ENTRA_ID_CALLBACK_URL=http://... - SAML redirect URI used when creating an app integration on Entra ID, it should contain the lab host and port along with the URL path /auth/providers/saml-entra-id/callback, e.g. http://localhost:3000/auth/providers/saml-entra-id/callback.
  • AUTH_SAML_ENTRA_ID_APP_ID= - application ID is shown in the app "Essentials" list, e.g. 651mem6g-25ra-4ph2-me52-23mg24r906aph.

Optional:

  • AUTH_SAML_ENTRA_ID_DISPLAY_NAME= - the display name of the SSO integration on the Lab UI. The default value is Entra ID so the UI will be Sign in with Entra ID.

Okta

The set up consists of two steps: creating an application through Okta admin interface and then filling out the Lab environment variables for a complete integration.

Create Okta application

To set up SAML with Okta, open up the Okta admin interface and create a new app integration. For a "Sign-in method" select SAML 2.0 and click "Next".

In the second step of SAML set up, set the following value for the "Single-sign on URL" input: <protocol>://<lab host>:<lab port>/auth/providers/saml-okta/callback. If your Lab is on localhost:3000, then the full URL is http://localhost:3000/auth/providers/saml-okta/callback. If your Lab is deployed on some other domain (e.g. my.domain.com with SSL) then the URL should be https://my.domain.com/auth/providers/saml-okta/callback.

Note: A value for "Single-sign on URL" field will be the same one for the Lab environment variable AUTH_SAML_OKTA_CALLBACK_URL.

For the field "Audience URI (SP Entity ID)" you can input just the <protocol>://<lab host>:<lab port>/ part. Check the screenshot above for a reference. You are free to set up and configure all other fields however you like.

Set up Lab integration

Once the app integration is created, click on "Settings" and expand the "SAML details". In there, you will find two values, "Sign on URL" and "Issuer". You will need both values for the Lab configuration.

To configure the Lab for the Okta SSO SAML integration, make sure to fill out the following environment variables:

Required:

  • AUTH_SAML_OKTA_IS_ENABLED=true - to enable SAML via OKTA. The default is false.
  • AUTH_SAML_OKTA_ENTRY_POINT=https://... - value from the "Sign on URL" on SAML settings. The entry point usually ends up with .../sso/saml, e.g. https://my.okta.com/app/my-application/exke6ubrkbz/sso/saml.
  • AUTH_SAML_OKTA_CALLBACK_URL=http://... - SAML callback URL used when creating an app integration on Okta, it should contain the lab host and port along with the URL path /auth/providers/saml-okta/callback, e.g. http://localhost:3000/auth/providers/saml-okta/callback.
  • AUTH_SAML_OKTA_ISSUER=http://www.okta.com/... - value from the "Issuer" on SAML settings, e.g. http://www.okta.com/exke6ubrkbz.

Optional:

  • AUTH_SAML_OKTA_DISPLAY_NAME= - the display name of the SSO integration on the Lab UI. The default value is Okta so the UI will be Sign in with Okta.