Authentication and Authorization to PubSub+ Cloud

To perform any actions in PubSub+ Cloud, users must authenticate and they must have a role that authorizes them to perform such tasks as creating and managing event broker services using Mission Control, monitoring event broker services with Insights, or designing an event-driven architecture (EDA) in Event Portal. For more information, see Role-Based User and Group Authorization.

User authentication and authorization can be integrated with your organization's existing identity management system if it supports OpenID Connect to enable single sign-on (SSO). For more information, see PubSub+ Cloud Console Authentication using SSO.

You can also configure authentication and authorization to access to individual event broker services from PubSub+ Broker Manager. For more information, see Accessing Broker Manager.

In addition to users, client applications can be given access to perform tasks in PubSub+ Cloud. Authentication and authorization is handled using API tokens created by users in the PubSub+ Cloud Console. For more information, see API Tokens for Client Applications.

Client application access to event broker services is handled separately. For information about client authentication and authorization, see Client Application Connectivity and Security.

Role-Based User and Group Authorization

PubSub+ Cloud has built-in roles that provide permissions to access specific functionality. Users with the Administrator role have permissions to use all features. Each PubSub+ Cloud account must have at least one administrator. Additional roles available in PubSub+ Cloud allow you to control the permissions that users have within the account. These fine-grained permissions permit authenticated users to perform tasks such as:

  • orchestrating and managing event broker services
  • managing event meshes
  • designing your EDA
  • monitoring your deployment and accessing advanced monitoring capabilities
  • modifying billing for the account
  • managing users, permissions, and account settings

For more information, see Roles and Permissions.

If you have SSO enabled, you can also assign roles to user groups and map claims received from your identity provider (IdP) with your user groups to automatically add users to groups. When group management is enabled, users are automatically added to groups based on the claim mappings you have configured. For more information, see Group Management.

You can also use role-based access to manage permissions to access individual event broker services and specific application domains in Event Portal. For more information, see Configuring User Access to Event Broker Services and Managing User Access to Event Portal.

PubSub+ Cloud Console Authentication using SSO

Solace recommends integrating PubSub+ Cloud with your organization's existing central identity management system when it's based on OpenID Connect. This integration provides single-sign on (SSO) for your organization's users and effectively presents PubSub+ Cloud as another service that users are authorized to use.

SSO can make user management and identity management more secure, easier to use, and gives your organization better control over user profiles. For example, changes to your organization's security strategy will seamlessly apply to users who access PubSub+ Cloud. SSO integration is supported for various providers that includes Microsoft Entra ID, Okta, PingOne, and Auth0. For more information setting up SSO, see Configuring Single Sign-On with OpenID Connect.

If your organization uses SSO for authentication with PubSub+ Cloud, you can also use it for management access to event broker services. For more information, see Configuring Single Sign-On for Event Broker Services.

Accessing Broker Manager

You can access event broker services directly using PubSub+ Broker Manager. For more information about Broker Manager security, see PubSub+ Broker Manager.

Access to an event broker service is handled through credentials that are generated when the event broker service is created. By default, users with the Administrator or Mission Control Manager roles are pre-authenticated to access event broker services through the Cloud Console. Pre-authenticated access to Broker Manager can be disabled for an entire account, which forces users to enter the credentials manually or sign in via SSO. For more information, see Pre-Authentication for Broker Manager.

Regardless of whether you enable pre-authentication security, if your event broker services are deployed in a Customer-Controlled Region, it's possible that you can connect from a public IP address to the PubSub+ Cloud Console (outside of your private network) to create and configure event broker services, but cannot connect to Broker Manager.

The ability to connect to Broker Manager depends on the networking configuration of your private network (i.e., most private networks use 10.x.y.z, 172.x.y.z, or 192.x.y.z as IP addresses which are not accessible from a public network). If your network configuration permits it, you can connect to Broker Manager when it's deployed in a private network if you:

  • Use a VPN connection such as a VPN client on your computer (or AWS VPN) to connect to the VPC/VNet.
  • Have VNet peering (Azure) or VPC peering (AWS) configured between the network where you're connected and the private network where the event broker services are deployed.
  • Have a DNS mapping from the event broker service to your private network. Contact Solace to configure this DNS mapping request.

API Tokens for Client Applications

Client applications can be authenticated and authorized to perform management operations, for example configuring event broker services or continuous integration and development (CI/CD) functions, using the PubSub+ Cloud REST APIs. This capability is useful in large-scale deployments that require automation to obtain efficiencies and better integrations with other enterprise systems.

API key control for authentication and authorization to PubSub+ Cloud is provided with API tokens. API tokens that can be generated to authenticate and authorize client applications to perform management actions on an account. API tokens permit for finer-grained control of permissions for client applications than the roles assigned to a user profile. For more information about the permissions and API tokens, see Managing API Tokens.

Users can generate API tokens in the PubSub+ Cloud Console. The permissions that a user can assign to the generated API token is a subset of the permissions that their role provides them in the account. In other words, a user cannot create an API token with permissions over and beyond what they have been assigned. A user can also revoke an API token at any time.