Add SSO docs (#797)

* Add docs for OAuth setup (WIP)

* Add docs for Okta OAuth

* Replace references to OAuth with OIDC

* Update single-sign-on.mdx

* new: Add SAML for Entra and Okta

---------

Co-authored-by: Kruno Golubic <46486712+kgolubic@users.noreply.github.com>
Co-authored-by: Toni Lastre <toni.lastre@memgraph.io>

pages/data-visualization/user-manual.mdx

@@ -211,6 +211,11 @@ numeral `lat` and `lng` properties.
 allows users to query the Memgraph database using the English language instead
 of Cypher queries.
 
+## Single sign-on (SSO)
+
+[Single sign-on (SSO)](/data-visualization/user-manual/single-sign-on) is a Memgraph
+enterprise feature that provides authorization and authentification to your database. 
+
 ## Run history
 
 Here you can search or view ran queries or applied styles, with the information
@@ -438,4 +443,4 @@ description of the video as well:
 - Datasets section ([1:09:55](https://youtu.be/Tt5KPKylU8k?t=4195))
 - Keyword suggestion tool ([1:11:15](https://youtu.be/Tt5KPKylU8k?t=4275))
 - Customizing graph results ([1:12.48](https://youtu.be/Tt5KPKylU8k?t=4365))
-- Custom query modules ([1:27:33](https://youtu.be/Tt5KPKylU8k?t=5253))
+- Custom query modules ([1:27:33](https://youtu.be/Tt5KPKylU8k?t=5253))

pages/data-visualization/user-manual/single-sign-on.mdx

@@ -0,0 +1,208 @@
+---
+title: Single sign-on (SSO)
+description: Single sign-on (SSO) is a Memgraph enterprise feature that provides authorization and authentification for your database.
+---
+
+import { Callout } from "nextra/components";
+
+# Single sign-on (SSO)
+
+Single sign-on (SSO) is a Memgraph enterprise feature that provides authorization and authentification to your database.
+
+Memgraph supports two types of SSO methods - **OpenID Connect (OIDC + OAuth 2.0)** and **SAML**,
+and two identity providers - **Microsoft Azure (Entra ID)** and **Okta**.
+To set up SSO on Memgraph Lab, you must configure the appropriate environment variables.
+
+<Callout>
+
+Single sign-on is not supported on the desktop version of Memgraph Lab.
+
+</Callout>
+
+## OpenID Connect (OIDC)
+
+The setup of OIDC (which includes OAuth 2.0) is done by setting two pairs of different environment variables.
+One set is for Microsoft Entra ID, and a separate set of environment variables should be assigned for Okta.
+
+### Entra ID
+
+To set up OIDC for Microsoft Azure,
+[follow the official guide](https://learn.microsoft.com/en-us/entra/architecture/auth-oidc#implement-oidc-with-microsoft-entra-id) and
+[register an application](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app).
+
+To enable OIDC for the Microsoft Entra ID identity provider, make sure to assign the
+following environment variables when hosting Memgraph Lab:
+
+```bash
+AUTH_OIDC_ENTRA_ID_IS_ENABLED=true
+AUTH_OIDC_ENTRA_ID_DISPLAY_NAME='Entra ID'
+AUTH_OIDC_ENTRA_ID_AUTHORIZATION_URL=
+AUTH_OIDC_ENTRA_ID_TOKEN_URL=
+AUTH_OIDC_ENTRA_ID_USER_INFO_URL=
+AUTH_OIDC_ENTRA_ID_CLIENT_ID=
+AUTH_OIDC_ENTRA_ID_CLIENT_SECRET=
+AUTH_OIDC_ENTRA_ID_CALLBACK_URL=.../auth/providers/oidc-entra-id/callback
+AUTH_OIDC_ENTRA_ID_SCOPE=openid
+```
+
+The empty values can be found on the Azure dashboard under the created app registration.
+
+![](/pages/data-visualization/lab-user-manual/sso-oidc-entra-callback.png)
+
+![](/pages/data-visualization/lab-user-manual/sso-oidc-entra-endpoints.png)
+
+![](/pages/data-visualization/lab-user-manual/sso-oidc-entra-secret.png)
+
+### Okta
+
+To set up OIDC for Okta, follow the [official guide](https://developer.okta.com/docs/guides/implement-grant-type/authcode/main/)
+and make sure to set up a [custom authorization server](https://developer.okta.com/docs/concepts/auth-servers/#custom-authorization-server).
+
+To enable OIDC for the Okta provider, make sure to assign the
+following environment variables when hosting Memgraph Lab:
+
+```bash
+AUTH_OIDC_OKTA_IS_ENABLED=true
+AUTH_OIDC_OKTA_DISPLAY_NAME='Okta'
+AUTH_OIDC_OKTA_ISSUER=xxx.okta.com
+AUTH_OIDC_OKTA_AUTHORIZATION_URL=https://${AUTH_OIDC_OKTA_ISSUER}/oauth2/v1/authorize
+AUTH_OIDC_OKTA_TOKEN_URL=https://${AUTH_OIDC_OKTA_ISSUER}/oauth2/v1/token
+AUTH_OIDC_OKTA_CLIENT_ID=
+AUTH_OIDC_OKTA_CLIENT_SECRET=
+AUTH_OIDC_OKTA_CALLBACK_URL=xxx/auth/providers/oidc-entra-id/callback
+AUTH_OIDC_OKTA_SCOPE=openid
+```
+
+The empty values can be found on the Okta admin panel dashboard under the created app.
+
+![](/pages/data-visualization/lab-user-manual/sso-oidc-okta-issuer.png)
+
+![](/pages/data-visualization/lab-user-manual/sso-oidc-okta-secret.png)
+
+![](/pages/data-visualization/lab-user-manual/sso-oidc-okta-endpoints.png)
+
+## SAML
+
+You can integrate Single sign-on (SSO) using SAML protocol for
+Microsoft Entra ID and/or Okta. Check the details for each
+identity provider down below.
+
+### Entra ID
+
+The setup consists of two steps: creating a new app registration through the
+Microsoft Entra ID portal and then filling out the Lab environment variables
+for a complete integration.
+
+#### Register new application
+
+On the Microsoft Entra ID portal, make sure to create a new App registration.
+You will need to fill out the application name and the redirect URI. The type
+of the redirect URI should be "Web" and the value should be in the form:
+`<protocol>://<lab host>:<lab port>/auth/providers/saml-entra-id/callback`. If
+your Lab is on `localhost:3000`, then the full URL is `http://localhost:3000/auth/providers/saml-entra-id/callback`.
+If your Lab is deployed on some other domain (e.g. `my.domain.com` with SSL) then
+the URL should be `https://my.domain.com/auth/providers/saml-entra-id/callback`.
+
+> Note: A value for the "Redirect URI" field will be the same one for the
+> Lab environment variable `AUTH_SAML_ENTRA_ID_CALLBACK_URL`.
+
+Check the screenshot below for a reference.
+
+![](/pages/data-visualization/lab-user-manual/sso-saml-entra-app-registration.png)
+
+If you already have an app registration, just make sure to add a new Redirect URI to
+your existing app registration.
+
+#### Set up Lab integration
+
+Once the app registration is ready, you have all the required values for a full
+integration. You will need two fields:
+
+* **Application (client) ID** - shown in the app "Essentials" list.
+* **SAML sign-on endpoint** - shown in the list after you click on "Endpoints".
+
+![](/pages/data-visualization/lab-user-manual/sso-saml-entra-copy-fields.png)
+
+To configure the Lab for the Entra ID SSO SAML integration, make sure to fill
+out the following environment variables:
+
+Required:
+
+* `AUTH_SAML_ENTRA_ID_IS_ENABLED=true` - to enable SAML via Entra ID. The
+  default is `false`.
+* `AUTH_SAML_ENTRA_ID_ENTRY_POINT=https://...` - value from the "SAML sign-on endpoint" on
+  in the "Endpoints" list. The entry point usually ends up with `.../saml2`, e.g.
+  `https://login.microsoftonline.com/651mem6g-25ra-4ph2-me52-23mg24r906aph/saml2`.
+* `AUTH_SAML_ENTRA_ID_CALLBACK_URL=http://...` - SAML redirect URI used when creating
+  an app integration on Entra ID, it should contain the lab host and port along with
+  the URL path `/auth/providers/saml-entra-id/callback`, e.g.
+  `http://localhost:3000/auth/providers/saml-entra-id/callback`.
+* `AUTH_SAML_ENTRA_ID_APP_ID=` - application ID is shown in the app "Essentials" list,
+  e.g. `651mem6g-25ra-4ph2-me52-23mg24r906aph`.
+
+Optional:
+
+* `AUTH_SAML_ENTRA_ID_DISPLAY_NAME=` - the display name of the SSO integration on the
+  Lab UI. The default value is `Entra ID` so the UI will be `Sign in with Entra ID`.
+
+
+### Okta
+
+The set up consists of two steps: creating an application through Okta admin
+interface and then filling out the Lab environment variables for a complete
+integration.
+
+#### Create Okta application
+
+To set up SAML with Okta, open up the Okta admin interface and
+create a new app integration. For a "Sign-in method" select SAML 2.0
+and click "Next".
+
+![](/pages/data-visualization/lab-user-manual/sso-saml-okta-application-creation.png)
+
+In the second step of SAML set up, set the following value for the
+"Single-sign on URL" input: `<protocol>://<lab host>:<lab port>/auth/providers/saml-okta/callback`.
+If your Lab is on `localhost:3000`, then the full URL
+is `http://localhost:3000/auth/providers/saml-okta/callback`. If your Lab
+is deployed on some other domain (e.g. `my.domain.com` with SSL) then
+the URL should be `https://my.domain.com/auth/providers/saml-okta/callback`.
+
+> Note: A value for "Single-sign on URL" field will be the same one for the
+> Lab environment variable `AUTH_SAML_OKTA_CALLBACK_URL`.
+
+![](/pages/data-visualization/lab-user-manual/sso-saml-okta-configuration.png)
+
+For the field "Audience URI (SP Entity ID)" you can input just the
+`<protocol>://<lab host>:<lab port>/` part. Check the screenshot above for
+a reference. You are free to set up and configure all other fields
+however you like.
+
+#### Set up Lab integration
+
+Once the app integration is created, click on "Settings" and expand
+the "SAML details". In there, you will find two values, "Sign on URL" and
+"Issuer". You will need both values for the Lab configuration.
+
+![](/pages/data-visualization/lab-user-manual/sso-saml-okta-copy-fields.png)
+
+To configure the Lab for the Okta SSO SAML integration, make sure to fill
+out the following environment variables:
+
+Required:
+
+* `AUTH_SAML_OKTA_IS_ENABLED=true` - to enable SAML via OKTA. The
+  default is `false`.
+* `AUTH_SAML_OKTA_ENTRY_POINT=https://...` - value from the "Sign on URL" on
+  SAML settings. The entry point usually ends up with `.../sso/saml`, e.g.
+  `https://my.okta.com/app/my-application/exke6ubrkbz/sso/saml`.
+* `AUTH_SAML_OKTA_CALLBACK_URL=http://...` - SAML callback URL used when creating
+  an app integration on Okta, it should contain the lab host and port along with
+  the URL path `/auth/providers/saml-okta/callback`, e.g.
+  `http://localhost:3000/auth/providers/saml-okta/callback`.
+* `AUTH_SAML_OKTA_ISSUER=http://www.okta.com/...` - value from the "Issuer" on
+  SAML settings, e.g. `http://www.okta.com/exke6ubrkbz`.
+
+Optional:
+
+* `AUTH_SAML_OKTA_DISPLAY_NAME=` - the display name of the SSO integration on the
+  Lab UI. The default value is `Okta` so the UI will be `Sign in with Okta`.

pages/database-management/ssl-encryption.mdx

@@ -1,10 +1,10 @@
 ---
 title: SSL encryption
-description: Learn how to enable SSL encryption to secure data transmission and protect sensitive information. More security features are at your disposal in our documentation page.  
+description: Learn how to enable SSL encryption to secure data transmission and protect sensitive information. More security features are at your disposal in our documentation page.
 ---
 
-import { Tabs, Tab } from 'nextra/components'
-import { Steps } from 'nextra/components'
+import { Tabs, Tab } from "nextra/components";
+import { Steps } from "nextra/components";
 
 # SSL encryption
 
@@ -90,9 +90,8 @@ docker run -p 7687:7687 -p 7444:7444 -v mg_lib:/var/lib/memgraph -v mg_etc:/etc/
 
 Use [Neo4j driver for JavaScript](https://neo4j.com/developer/javascript/), and
 add `+ssc` to the UNI when defining a `MEMGRAPH_URI` constant: <br/>
-<code>MEMGRAPH_URI = 'bolt+ssc://18.196.53.118:7687'</code>.
-<p>
-</p>
+
+<code>MEMGRAPH_URI = 'bolt+ssc://18.196.53.118:7687'</code>.<p></p>
 
 **Python**
 
@@ -171,8 +170,10 @@ authenticated and encrypted connection to a database instance.
     ```
     docker start memgraph_container
     ```
-   {<h3>Enable SSL connection</h3>}
-   Choose the prefer way to connect to Memgraph and first [enable SSL connection](/database-management/ssl-encryption#enable-ssl-connection).    
+
+{<h3>Enable SSL connection</h3>}
+Choose the preferred way to connect to Memgraph and first [enable SSL connection](/database-management/ssl-encryption#enable-ssl-connection).
+
 </Steps>
 
 ## Linux