Configuring Single Sign-On for Event Broker Services

You can configure authentication for management access to event broker services to use the same single sign-on (SSO) capabilities as the Solace Cloud Console. Using SSO allows users to authenticate with Broker Manager for an event broker service using the same credentials they use to access the Cloud Console. Authorization for management access is handled with claims configured for your identity provider (IdP).

Event Broker Service SSO configures management access through Broker Manager to event broker services. Access to the messages and events (or machine-to-machine authentication) uses a different authentication mechanism (for example, basic authentication, LDAP, client certification, or OAuth provider) that is configured separately for client applications. For more information, see Configuring User Authentication.

To enable SSO for an event broker service, complete the following tasks:

  1. Enable SSO for Solace Cloud.
  2. Enable group management and just-in-time provisioning for the account. For more information, see Considerations for Using Event Broker Service SSO.
  3. View the list of event broker services in your account and their status. For more information, see Viewing the SSO Status for Event Broker Services.
  4. Enable SSO for the event broker service. For more information, see Enabling SSO for an Event Broker Service.
  5. Copy the event broker service URI and add it as a redirect URI in your IdP. For more information, see Retrieving the URI for an Event Broker Service.

After you have completed the tasks above, you can:

  • Check the SSO status of the event broker service in several ways:
  • If you no longer want an event broker service to use SSO, you can disable it. For more information, see Disabling SSO for an Event Broker Service.
  • If you make SSO configuration changes, such as adding new claim mappings, you can update each event broker service with the updated SSO configuration. If an event broker service needs a configuration update, it shows a status of Enabled with a message of SSO configuration requires an update. For more information, see Viewing the SSO Status for Event Broker Services.

Considerations for Using Event Broker Service SSO

Before you configure SSO using OIDC, your account must meet the following requirements:

  • You must have an Enterprise Account for Solace Cloud. Trial accounts do not support SSO configuration via OpenID Connect (OIDC).
  • Only users with the Administrator role can enable SSO for an event broker service. Users with Mission Control Manager role cannot enable SSO.
  • The roles in your Enterprise Account must be mapped appropriately to the roles in your identity provider:
    • the Administrator and Mission Control Manager roles give edit permissions to the Message VPN on the event broker service
    • the Mission Control Viewer role gives read access to the Message VPN on the event broker service
  • If you have private and public endpoints configured for the event broker service, the redirect URIs need to be configured on the IdP, and SSO via OIDC must be enabled on the account.
  • Group management must be set up on the account.
  • Just-in-time provisioning must be configured on the account.

After SSO is enabled on the event broker service, users have management access (for example using Broker Manager) via SSO to the event broker service. You can check the Management Access for the event broker service on Status page for the service. For more information, see Detailed Event Broker Service Information.

You can also configure SSO using the REST API for Solace Cloud. For more information, see Managing Single Sign-On for Event Broker Services with the Solace Cloud REST API.

Viewing the SSO Status for Event Broker Services

You can view the SSO status for all event broker services on the Manage Brokers screen. To view the Manage Brokers screen, perform these steps:

  1. Log in to the Solace Cloud Console if you have not done so yet. The URL to access the Cloud Console differs based on your authentication scheme. For more information, see Logging In to the Solace Cloud Console.
  2. On the navigation bar, select User & Account , and then select Account Details.
  3. On the Account Details page, select the Infrastructure SSO Settings tab.
  4. Click Manage Brokers.

The list of event broker services contains the following information:

Broker Name
The name of the event broker service.
Broker SSO Status
The status of SSO configuration on the event broker service. The statuses are as follows:
  • Disabled—No SSO configuration is available on the event broker service and SSO has been disabled. Event broker services that have this state support SSO. To see how to access Broker Manager, see the Status tab for the event broker service in Cluster Manager.
  • Enabled— The SSO configuration was successfully updated on the event broker service and SSO has been enabled. If the URI has been updated on your identity provider, you can use SSO credentials to access Broker Manager. If the SSO configuration requires an update, it shows the message SSO configuration requires an update. To update the configuration, see Updating the SSO Configuration for an Event Broker Service.
  • Does not support SSO—The event broker service doesn't support SSO. This can be because you are using a legacy broker version. For information about upgrading your event broker service, see Upgrading Event Broker Services in Solace Cloud.
  • In Progress—An operation to enable, update, or remove the SSO configuration from the event broker service is in progress.
  • Failed—Enabling, disabling, or updating the SSO configuration failed. A recommendation for an action appears.
Datacenter
The location where the event broker service resides, which corresponds to the region name selected when you created the event broker service.
Broker URI
The URI used by your identity provider (IdP) as a redirect URI. If you have configured multiple connection endpoints, multiple redirect URIs are shown as a comma-separated entry. You can copy the redirect URIs to your IdP. For more information, see Retrieving the URI for an Event Broker Service.

Retrieving the URI for an Event Broker Service

To complete the configuration so that a user can access an event broker service using SSO, the identity provider you've chosen must be configured with the correct redirect URI of each event broker service.

The format of the URI is as follows:

https://<serviceredirectid>.messaging.solace.cloud/oauth/complete

  • where <serviceredirectid> represents the specific event broker service
  • where messaging.solace.cloud is the domain for the event broker service. This value may differ depending on your deployment or region of the Solace Home Cloud you selected. It is recommended that you verify the values in the Broker URI field in the list of event broker services in Manage Brokers.

If you have private and public endpoints configured for your event broker service, there is a separate URI for each endpoint that must be added to your identity provider. This may mean that you have multiple URIs to add as redirects for an event broker service. For more information, see Configuring Custom Hostnames for an Event Broker Service.

To retrieve the required redirect URI for an event broker service and copy it to your clipboard, use the following actions:

  1. In the Cloud Console, select User & Account from the navigation bar, and then select Account Details.
  2. On the Account Details page, select the Infrastructure SSO Settings tab.
  3. Click Manage Brokers.
  4. In the Manage Brokers dialog, select an event broker service from the list.
  5. For the selected event broker service, click Actions and select Copy Broker URI.

The URI of the selected event broker service is copied to your clipboard. It can be pasted as the redirect URIs in your identity provider.

Multiple URIs are copied as a comma-separated list. If your IdP doesn't support this format, manually enter each URI.

Enabling SSO for an Event Broker Service

When you enable SSO on an event broker service it is sent the most recent SSO configuration from your Solace Cloud account.

To enable SSO for an event broker service, perform these steps:

  1. In the Cloud Console, select User & Account  from the navigation bar, and then select Account Details.
  2. On the Account Details page, select the Infrastructure SSO Settings.
  3. Click Manage Brokers.
  4. In the Manage Brokers dialog, select an event broker service from the list.
  5. Click Actions and select Enable SSO.

After you enable SSO on the event broker service, ensure that the URI has been added to your identity provider. For more information, see Retrieving the URI for an Event Broker Service. You can verify that you can connect to the event broker service using SSO by connecting to it using Broker Manager. For more information, see Testing SSO for an Event Broker Service.

Disabling SSO for an Event Broker Service

You can disable SSO on event broker services where you previously enabled it. When you disable SSO, the SSO configuration is removed from the event broker service. To access the event broker service, you can use basic authentication. If you want to enable another type of authentication (such as LDAP), you can reconfigure authentication for the event broker service.

To disable SSO on an event broker service, perform these steps:

  1. In the Cloud Console, select User & Account from the navigation bar, and then select Account Details.
  2. On the Account Details page, select the  Infrastructure SSO Settings tab.
  3. Click Manage Brokers.
  4. In the Manage Brokers dialog, select the event broker service you want to update from the list. The event broker service should show Enabled in its Broker SSO Status.
  5. Click Actions and select Disable SSO.

After you disable SSO for an event broker service, you can remove the URI from your identity provider. You can also verify that you no longer have management access to the event broker service using SSO credentials by looking at the Status of the service.

Updating the SSO Configuration for an Event Broker Service

If you have made user management changes in the Cloud Console, such as changing the default hostname for an event broker service or mapping new claims to user roles, you must refresh the SSO configuration on affected event broker services.

The event broker services that require an update show a status of Enabled with a message that states SSO configuration requires an update.

To update the SSO configuration, perform these steps:

  1. In the Cloud Console, select User & Account from the navigation bar, and then select Account Details.
  2. On the Account Details page, select the Infrastructure SSO Settings tab.
  3. In the Event Broker Services SSO tile, click Manage Brokers.
  4. In the Manage Brokers dialog, select an event broker service from the list of event broker services that shows SSO Enabled as the Broker SSO Status.
  5. Click Actions and select Update SSO.

In the Manage Brokers dialog, verify that the text "SSO configuration requires an update" no longer appears.

Testing SSO for an Event Broker Service

You can test SSO for management access after an event broker service has enabled SSO. The event broker service should use the same identity provider and access as the Cloud Console. To test that management access works using SSO, use Broker Manager:

  1. In the Cloud Console, select Cluster Manager  from the navigation bar.
  2. On the Services page, click the card of the event broker service
  3. Click Open Broker Manager at the top-right corner of the page. The Broker Manager web interface opens in another tab.

If the SSO configuration has been enabled on an event broker service, a second Login with Solace Cloud button appears below the Login button. When you click Log in with Solace Cloud, it takes you to the identity provider configured with your account to authenticate access to the event broker service.