Home / Database SSO / SSO for Neo4j
Graph Database
Bolt protocol
Query Audit

SAML/OIDC SSO for Neo4j Graph Database Access

Neo4j Inc.

Add SAML/OIDC Single Sign-On to Neo4j connections. Replace shared credentials with identity-based access. Full Cypher query audit trail with individual accountability.

How It Works
Overview

Why Neo4j Needs Identity-Based Access

Neo4j is the leading graph database, used for knowledge graphs, fraud detection, recommendation engines, network analysis, and identity resolution. Neo4j databases contain highly connected data that reveals relationships, patterns, and networks. A compromised Neo4j instance can expose social connections, financial transaction networks, fraud detection models, and organizational structures. OnePAM's database proxy adds SAML/OIDC authentication to Neo4j Bolt protocol connections, providing identity-verified access to your graph data.

Database Security Risks

Neo4j Access Security Risks

Without identity-based database access, these risks threaten your data every day.

Shared database credentials across teams and environments
No audit trail for individual query activity
Static passwords stored in config files and environment variables
Inability to revoke access instantly when team members leave
Default port 7687 exposed without identity verification
The Challenge

Database Security Challenges

These are the risks organizations face with traditional database authentication.

Shared Graph Credentials

Teams share Neo4j credentials, making it impossible to attribute graph queries to specific analysts.

No Native SSO for Bolt

Neo4j Enterprise supports SSO for Browser but not for Bolt protocol connections used by applications and analysts.

Relationship Data Sensitivity

Graph databases reveal connections and relationships. Fraud detection graphs, social networks, and identity resolution data are highly sensitive.

No Cypher-Level Auditing

Neo4j query logs show the database user but not the human analyst executing Cypher queries.

Enterprise-Only SSO

Neo4j's built-in SSO features require the Enterprise edition. Community edition has no SSO options.

Model Exposure

Graph schemas and trained models for fraud detection or recommendations represent significant intellectual property.

Setup Guide

How OnePAM Adds SSO to Neo4j

Step-by-step guide to deploying identity-based database access.

1

Connect via OnePAM Proxy

Point your Neo4j client (Neo4j Browser, Cypher Shell, driver) to OnePAM's proxy.

OnePAM speaks Bolt protocol natively, compatible with all Neo4j clients and drivers.
2

Authenticate via Corporate IdP

OnePAM authenticates you via SAML/OIDC with MFA.

Analysts authenticate with corporate credentials. No database-specific passwords.
3

Credential Injection

OnePAM retrieves Neo4j credentials from its vault for the authenticated session.

Short-lived credentials scoped to the authenticated identity.
4

Cypher Logging with Identity

Every Cypher query logged with the analyst's corporate identity.

Complete audit trail for data governance and regulatory compliance.
Key Benefits

Benefits of SSO for Neo4j

What changes when you deploy identity-based database access.

Graph Query Accountability

Every Cypher query tied to a specific analyst via corporate identity.

100% query attribution

Zero Credential Exposure

Analysts never handle Neo4j passwords. Vault-injected credentials.

Zero credential exposure

Protect Relationship Data

Social graphs, fraud networks, and identity data accessible only to authorized analysts.

Relationship data protected

SSO for Neo4j Community

Get enterprise SSO for Neo4j Community Edition via OnePAM's proxy.

Enterprise SSO for community edition

Instant Analyst Offboarding

Disable an analyst and graph database access stops immediately.

Instant revocation

Compliance Audit Trail

Identity-verified Cypher query logs for SOC 2, GDPR, and fraud investigation compliance.

Audit-ready
SSO Features

Database SSO Features

Every feature needed for enterprise-grade database authentication.

SAML 2.0 and OIDC authentication for Neo4j
Native Bolt protocol support
Works with Neo4j Browser, Cypher Shell, and all drivers
Database and label-level access control
Role mapping from IdP groups
Short-lived credentials from vault
Read-only vs read-write policies
Time-limited sessions
Graph traversal depth limits
Just-in-time privilege elevation
Security

Security Features

Enterprise-grade security controls for database access.

Credential vaulting with AES-256 encryption
Automatic credential rotation
Cypher-level audit logging
Data masking in logs
IP allowlist enforcement
TLS encryption for all connections
No direct Neo4j port exposure
Session timeout enforcement
Large result set detection
SIEM integration
Real-World Scenarios

Neo4j SSO Use Cases

Common scenarios where organizations deploy OnePAM Database SSO.

1
Data scientists querying knowledge graphs with individual identity
2
Fraud analysts accessing fraud detection graphs with MFA enforcement
3
SOC 2 compliance for identity-verified graph query logs
4
Neo4j Community Edition deployments needing enterprise SSO
5
Contractor access to graph data with time limits and auditing
6
Protecting recommendation engine models and training data
7
Identity resolution systems with PII data governance requirements
8
Network analysis databases with classified or sensitive data
Frequently Asked Questions

SSO for Neo4j FAQ

Common questions about Database SSO and query-level auditing.

Does OnePAM work with Neo4j Aura?

Yes. OnePAM's proxy works with Neo4j Aura, Neo4j Enterprise, and Neo4j Community Edition.

Does OnePAM support Neo4j Community Edition?

Yes. OnePAM provides enterprise SSO capabilities to Neo4j Community Edition at the proxy layer — no Enterprise license required.

Does OnePAM work with Neo4j's Java, Python, and JavaScript drivers?

Yes. OnePAM speaks native Bolt protocol. All official Neo4j drivers work transparently through the proxy.

Can I restrict access to specific graph databases?

Yes. OnePAM policies can restrict which databases each analyst can access based on IdP groups.

Does OnePAM affect graph traversal performance?

OnePAM adds sub-millisecond latency per query. For graph traversals, this is negligible compared to query execution time.
Also Available

Database SSO for Other Databases

OnePAM adds identity-based access to any database — same approach, same security.

SSO for PostgreSQL
Relational Database
SSO for MySQL / MariaDB
Relational Database
SSO for MongoDB
Document Database
SSO for Microsoft SQL Server
Relational Database
SSO for Oracle Database
Relational Database
SSO for Elasticsearch
Search & Analytics Engine

Add SSO to Neo4j Access

Deploy OnePAM database proxy in minutes. No Neo4j configuration changes required.

Get Started All Database SSO Guides