PubSub+ Cloud Console SSO with OpenID Connect

Organizations with an identity provider that supports OpenID Connect (OIDC) can enable single sign-on (SSO) for PubSub+ Cloud accounts in the PubSub+ Cloud Console. Console SSO allows users to log in directly to PubSub+ Cloud after being authenticated through an OIDC service provider. You can enable Console SSO through the PubSub+ Cloud Console. For more information, see Configuring Single Sign-On for PubSub+ Cloud.

When Console SSO is enabled, users still need a PubSub+ Cloud account and an assigned role in PubSub+ Cloud to access the console.

You can also set up SSO for your event broker services, with additional configuration that includes role management and just-in-time Provisioning. For more information, see Configuring Single Sign-On for Event Broker Services Using OpenID Connect.

Authenticating Users in PubSub+ Cloud

PubSub+ Cloud uses OAUTH 2.0 with OpenID Connect 1.0 to authenticate the users with SSO. PubSub+Cloud receives an OpenID Connect ID 1.0 token from the user and also receives an OAuth 2.0 token when the user authenticates through the identity provider.

The data flow of the authentication process is shown in the following diagram and described in the steps below:

Diagram illustrating the data flow described in the following text.

  1. A PubSub+ Cloud user connects to the Cloud Console.
  2. PubSub+ Cloud redirects the user login request to the authorization endpoint of the identity provider.
  3. The identity provider presents a login screen to the user. The identity provider may use additional methods, such as two-factor authentication to verify the user's identity.
  4. The user provides the requested credentials to the identity provider and logs in successfully.
  5. The identity provider returns an authorization code to the user and redirects the user back to PubSub+ Cloud.
  6. The user sends the authorization code to PubSub+ Cloud.
  7. PubSub+ Cloud requests the user's ID token from the identity provider.
  8. The identity provider returns the ID token, which contains an email claim and, if role mapping is configured, a group claim to PubSub+ Cloud.
  9. PubSub+ Cloud maps the email claim and the group claim (if applicable) to the email address for the user's roles.
  10. The user accesses PubSub+ Cloud.