Configuring Single Sign-On for Event Broker Services

You can configure management access to event broker services to use the same single sign-on (SSO) via OpenID Connect (OIDC) as the PubSub+ Cloud Console. Using SSO allows users to authenticate with the same credentials they use to access the Cloud Console. Authorization for management access is handled with claims configured for your identity provider (IdP).

Event Broker Service SSO configures management access through PubSub+ Broker Manager to event broker services. Access to the messages and events (or machine-to-machine authentication) uses a different authentication mechanism (for example, basic authentication, LDAP, client certification, or OAuth provider) that is configured separately for client applications. For more information, see Configuring Authentication to Event Broker Services.

To enable SSO for an event broker service, complete the following tasks:

  1. Enable SSO for PubSub+ Cloud.
  2. Enable group management, and just-in-time provisioning for the account. For more information, see Considerations for Using Event Broker Service SSO.
  3. Navigate to the Event Broker Service SSO page to view the list of event broker services in your account and the status. For more information, see Viewing the SSO Status for Event Broker Services.
  4. Enable SSO on the selected event broker service. For more information, see Enabling SSO for an Event Broker Service.
  5. Copy the event broker service URI and add it as a redirect URI in your IdP. For more information, see Retrieving the URI for an Event Broker Service.

After you have completed the tasks above, you can:

  • Check the SSO status of the event broker service in multiple ways that include:
  • If you no longer want an event broker service to use SSO, you can disable it. For more information, see Disabling SSO for an Event Broker Service.
  • If you make SSO configuration changes, such as adding new claim mappings, you can update each event broker service with the updated SSO configuration. If an event broker service needs a configuration update, it shows a status of Enabled with a message of SSO configuration requires an update. For more information, see Viewing the SSO Status for Event Broker Services.

Considerations for Using Event Broker Service SSO

Before you configure SSO using OIDC, your account must meet the following requirements:

  • You must have an Enterprise Account for PubSub+ Cloud. Trial accounts do not support SSO configuration via OpenID Connect (OIDC).
  • The Administrator role must be assigned to the user in the account to enable Event Broker Service SSO. Users with Mission Control Manager role cannot enable SSO on an event broker service.
  • The roles in your Enterprise Account must be mapped appropriately to the roles in your identity provider:
    • the Administrator and Mission Control Manager roles give edit permissions to the Message VPN on the event broker service
    • the Mission Control Viewer role give read access to Message VPN on the event broker service
  • If you have private and public endpoints configured for the event broker service, the redirect URIs need to be configured on the IdP. SSO via OIDC must be enabled on the account.
  • Group management must be set up on the account.
  • Just-in-time provisioning must be configured on the account.

After the SSO configuration is enabled on the event broker service, users have management access (for example PubSub+ Broker Manager) via SSO to the event broker service. You can also check the Management Access on the event broker service on Status page for the service. For more information, see Detailed Service Information.

SSO access is only for management access for users. Access to the messages and events (or machine-to-machine authentication) use a different authentication mechanism (for example, basic authentication, LDAP, client certification, or OAuth provider) that is configured separately for client applications. For more information, see Configuring Authentication to Event Broker Services.

You can also configure SSO using the REST API for PubSub+ Cloud. For more information, see Managing Single Sign-On for Event Broker Services with the PubSub+ Cloud REST API.

Viewing the SSO Status for Event Broker Services

You can view the SSO status for all event broker services on the Manage Brokers screen. To view the Manage Brokers screen, perform these steps:

  1. Log in to the PubSub+ Cloud Console if you have not done so yet. The URL to access the Cloud Console differs based on your authentication scheme. For more information, see Logging In to the PubSub+ Cloud Console.
  2. On the navigation bar, select User & Account , and then select Account Details.
  3. On the Account Details page, select the Broker SSO Settings tab.
  4. In the Event Broker Service SSO tile, click Manage Brokers.

Screenshot depicting the settings described in the surrounding text.

The list of event broker services contains the following information:

Broker Name
The name of the event broker service.
Broker SSO Status
 The status of SSO configuration on the event broker service. The statuses are as follows:
  • Disabled—No SSO configuration is available on the event broker service and SSO has been disabled. Event broker services that have this state support SSO. To see how to access Broker Manager, see the Status tab for the event broker service in Cluster Manager.
  • Enabled— The SSO configuration was successfully updated on the event broker service and SSO has been enabled. If the URI has been updated on your identity provider, you can use SSO credentials to access Broker Manager. If the SSO configuration requires an update, it shows the message SSO configuration requires an update. To update the configuration, see Updating the SSO configuration for an Event Broker Service.
  • Does not support SSO—The event broker service doesn't support SSO. This can be because you using a legacy broker version. For information about upgrading your event broker service, see Upgrading Event Broker Services in PubSub+ Cloud.
  • In Progress—An operation to enable, update, or remove the SSO configuration from the event broker service is in progress.
  • Failed—Enabling, disabling, or updating the SSO configuration failed. A recommendation for an action appears.
Datacenter
The location where the event broker service resides and corresponds to the region name that was selected when you create the event broker service.
Broker URI
The URI to add as a redirect URI in your identity provider (IdP). If you have configured multiple connection endpoints, multiple redirect URIs are shown as a comma-separated entry. You can copy the redirect URIs to your IdP. For more information, see Retrieving the URI for an Event Broker Service.

Retrieving the URI for an Event Broker Service

To complete the configuration so that a user can access an event broker service using SSO, the identity provider you've chosen must be configured with the correct redirect URIs of each event broker services.

The format of the URI is as follows:

https://<serviceredirectid>.messaging.solace.cloud/oauth/complete

  • where <serviceredirectid> represents the specific event broker service
  • where messaging.solace.cloud is the domain for the event broker service. This value may differ depending on your deployment or region of the PubSub+ Home Cloud you selected. It is recommended that you verify the values in the Broker URI field in the list of event broker services in Manage Brokers.

If you have private and public endpoints configured your event broker service, there is a separate URI for each endpoint that must be added to your identity provider. This may mean that you have multiple URIs to add as redirects for an event broker service. For more information, see Configuring Custom Hostnames for an Event Broker Service.

To retrieve the required redirect URI for an event broker service and copy it to your clipboard, use the following actions:

  1. In the PubSub+ Cloud Console, select User & Account from the navigation bar, and then select Account Details.
  2. On the Account Details page, select the Broker SSO Settings tab.
  3. In the Event Broker Services SSO tile, click Manage Brokers.
  4. In the Manage Brokers dialog window, select the event broker service from the list that supports SSO (has the status of Enabled, Disabled, or In Progress). For information about the status, see Viewing the SSO Status for Event Broker Services.
  5. For the selected event broker service, click Actions and select Copy Broker URIs.

The URIs of the selected event broker service are copied to your clipboard. They can be pasted as redirect URIs in your identity provider.

Multiple URIs are copied as a comma-separated listed. If your IdP doesn't support this format, manually enter each URI.

Enabling SSO for an Event Broker Service

You can enable SSO on an event broker service. Each event broker service that is enabled is sent the most recent SSO configuration from your PubSub+ Cloud account.

To enable SSOfor an event broker service, perform these steps:

  1. In the PubSub+ Cloud Console, select User & Account from the navigation bar, and then select Account Details.
  2. On the Account Details page, select the Broker SSO Settings.
  3. In the Event Broker Services SSO tile, click Manage Brokers.
  4. On the Manage Brokers dialog window, select an event broker service from the list of event broker services.
  5. Click Actions and select Enable SSO.

After you enable SSO on the event broker service, ensure that the URI has been added to your identity provider. For more information, see Retrieving the URI for an Event Broker Service. You can verify that you connect to the event broker service by connecting to it using PubSub+ Broker Manager. For more information, see Testing SSO for an Event Broker Service.

Disabling SSO for an Event Broker Service

On event broker services where you previously enabled SSO, you can disable it. When it is disabled, the SSO configuration is removed from the event broker service. To access the event broker service, you can use basic authentication. If you want to re-able another type of authentication scheme ( such as LDAP), you can reconfigure that event broker service.

To disable SSO on an event broker service, perform these steps:

  1. In the PubSub+ Cloud Console, select User & Account from the navigation bar, and then select Account Details.
  2. On the Account Details page, select the  Broker SSO Settings tab.
  3. In the Event Broker Services SSO tile, click Manage Brokers.
  4. In the Manage Brokers dialog window and select the event broker service from the list. The event broker service you choose should be Enabled its Broker SSO Status.
  5. Click Actions and select Disable SSO.

After you disable SSO for an event broker service, you can remove the URI from your identity provider. You can also verify that you no longer have management access to the event broker service using SSO credentials by looking at the Status of the service.

Updating the SSO configuration for an Event Broker Service

If you have made user management changes in the Cloud Console, such as mappings new claims to user roles, you must refresh the SSO configuration on each event broker service.

The event broker services that require an update show a status of Enabled with a message that states SSO configuration requires an update.

To update the SSO configuration, perform these steps:

  1. In the PubSub+ Cloud Console, select User & Account from the navigation bar, and then select Account Details.
  2. On the Account Details page, select the Broker SSO Settings tab.
  3. In the Event Broker Services SSO tile, click Manage Brokers.
  4. In the Manage Brokers dialog window, select an event broker service from the list of event broker services that shows SSO Enabled as the Broker SSO Status.
  5. Click Actions and select Update SSO.

In the Manage Brokers dialog window, verify that the text "SSO  configuration requires an update" no longer appears.

Testing SSO for an Event Broker Service

You can test SSO for management access after an event broker service has enabled SSO. The event broker service should use the same identity provider and access as the PubSub+ Cloud Console. To test that management access works using SSO, use PubSub+ Broker Manager:

  1. In the PubSub+ Cloud Console, select Cluster Manager from the navigation bar.
  2. On the Services page, click the card of the event broker service
  3. Click Open PubSub+ Broker Manager at the top-right corner of the page. The PubSub+ Broker Manager web interface opens in another tab.

If the SSO configuration has been enabled on an event broker service, a second Login with PubSub+ Cloud button appears below the Login button. When you click Log in with PubSub+ Cloud, it takes you to the identity provider configured with your account to authenticate access to the event broker service.