Configuring User Authentication to Event Broker Services

You can configure user authentication for management access to event broker services and allow users to authenticate with event broker services using these methods.

Method Details

LDAP

You can configure LDAP for management access so other users can be authenticated and authorized to log in to an event broker service using their LDAP credentials.

For more information, see Configuring LDAP for Management Access.

You can also configure LDAP for management access using the REST API. For more information, see Managing Authentication with the Solace Cloud REST API.

OAuth profiles

You can configure OAuth profiles directly on event broker services to authenticate users and machines connecting directly to your event broker services by mapping custom roles in your OAuth provider account to Solace Cloud roles.

For more information, see Configuring OAuth Profiles for Management Access to Event Broker Services.

Single sign-on

You can configure authentication for management access to event broker services to use the same single sign-on (SSO) capabilities as the Solace Cloud Console. Using SSO allows users to authenticate with Broker Manager for an event broker service using the same credentials they use to access the Cloud Console. Authorization for management access is handled with claims configured for your identity provider (IdP).

For more information, see Configuring Single Sign-On for Event Broker Services.

For more information about configuring event broker service access for Mission Control Users, see Configuring User Access to Event Broker Services.

You configure authentication for client messaging access to event broker services separately. For more information, see Configuring Authentication for Messaging Clients.

Configuring LDAP for Management Access

Solace Cloud Administrators can configure LDAP for management access so other users can be authenticated and authorized to log in to an event broker service using their LDAP credentials.

To configure LDAP for management access, perform these steps:

  1. Log in to the Solace Cloud Console if you have not done so yet. The URL to access the Cloud Console differs based on your authentication scheme. For more information, see Logging In to the Solace Cloud Console.
  2. On the navigation bar, select Cluster Manager .
  3. Select the event broker service that you want to configure. If the event broker service is not listed, make sure you have the right environment selected. For more information, see Selecting Environments.
  4. On the Service Details page, click the Manage tab.
  5. On the Management Settings menu, select Authentication and Security.
  6. On the LDAP for Management Access tile, click Edit Profile.

    Screenshot showing the settings described in the surrounding text.

  7. Complete the fields on the Edit LDAP Profile dialog with the appropriate details for the following LDAP profile settings:
    ConfigurationDescription

    Admin Distinguished Name

    Specifies the LDAP distinguished name for the event broker service to use to authenticate itself to the LDAP server.

    Admin Distinguished Name Password

    Specifies the password to use with the admin distinguished name to bind to the LDAP server.

    Start TLS

    Specifies whether to use StartTLS to secure your LDAP connections. When you use StartTLS, the LDAP host is used for both TLS and non-TLS connections to the LDAP server. If this option is not selected, secure connections to the LDAP server use LDAPS.

    LDAP Servers

    Specify the Uniform Resource Identifier (URI) for up to three LDAP servers. You can specify a domain name or an IP address and port number. If no port number is specified, port 389 is used by default. For example, ldap://192.167.123.4:389 or ldap://ldap.solace.com.

    If Start TLS is enabled, the unencrypted port should be specified for the server hostname.

    You must specify at least one LDAP server.

    Allow Unauthenticated Authentication

    LDAP supports unauthenticated authentication, which allows all clients to pass LDAP server authentication and connect to the event broker service without a password.

    Enabling this option can introduce a significant security risk, so this option is disabled by default.

    When this option is disabled, users who attempt to connect without passwords are rejected immediately by the event broker service without consulting the LDAP server.

    Enable Group Membership Secondary Search Parameters

    Enables retrieving an attribute from the user records and then performing a secondary LDAP search using that attribute’s value to retrieve the group list.

    This option is not required when group membership information is stored in the user records, which allows the group list to be retrieved without a secondary search.

    Filter Attribute From Primary Search Base Distinguished Name

    Specifies the attribute retrieved from the primary search when Group Membership Secondary Search Enabled is selected.

    Base Distinguished Name

    Specifies the base distinguished name of the node of the directory tree to start searches from. For example: ou=software,dc=solacesystems,dc=com.

    You must enter a value in this field.

    Dereferencing Behaviour

    Specifies the dereferencing behavior of directory searches.

    • Always—always dereference aliases (default).
    • Never—never dereference aliases.
    • Search—dereference aliases only when searching.
    • Base—dereference aliases only when locating the base node.

    Filter

    Sets the filter to use to locate individual users in the directory service.

    If Group Membership Secondary Search Enabled is not selected, the default is (cn=$CLIENT_USERNAME) and you can use following substitution variables in the filter:

    • $CLIENT_USERNAME
    • $VPN_NAME

    Substitution variables are recognized by the event broker and are substituted with the client’s relevant information. Examples of filters using substitution variables include:

    • “(&(cn=$CLIENT_USERNAME)(ou=$VPN_NAME))”
    • “(cn=$CLIENT_USERNAME)”

    If Group Membership Secondary Search Enabled is selected, the default is (member=$ATTRIBUTE_VALUE_FROM_PRIMARY_SEARCH) and you can use following substitution variables in the filter:

    • $ATTRIBUTE_VALUE_FROM_PRIMARY_SEARCH
    • $CLIENT_USERNAME
    • $VPN_NAME

    Scope

    Specifies the scope of directory searches.

    • Subtree—search the entire subtree directory (default).
    • Base—search only the base node.
    • One Level—search only one level deep.

    Follow Continuation References

    Enables following continuation references returned by the contacted LDAP server. When this option is enabled, if an LDAP search does not fully end on the contacted server, the search for relevant entries may continue on up to ten other servers it references.

    Timeout (Seconds)

    The amount of time to wait before retrying an authentication or authorization request to an LDAP server.

  8. Click Save.
  9. Click Set Group Access. To set the configuration options, the LDAP profile must include at least one LDAP Server and the Base Distinguished Name.
  10. Enter the Group Membership Attribute Name value to use to look for matching groups.
  11. You can provide Mission Control Manager, Mission Control Editor, or Mission Control Viewer access to the members of an LDAP group. For more information about role access, see Mission Control Roles and Permissions. To provide management access to an LDAP group, perform these steps:
    1. Beside Mission Control Manager, Mission Control Editor, or Mission Control Viewer, click Add Group.
    2. In the field that appears, enter the LDAP group information.
    3. Click Save.
  12. After setting all LDAP group access assignments, click Save to return to the LDAP for Management Access tile.
  13. Click Enable.

    Users can now log in to the event broker service using their LDAP credentials.