Enabling Single Sign-On for PubSub+ Cloud

If your organization uses an OIDC-based identity provider such as Okta, Auth0, PingIdentity, or Azure Active Directory (AD), you can configure single sign-on (SSO) to the PubSub+ Cloud Console. After you enable SSO, you can also choose to set up dynamic user group assignment and SSO for event broker service management.

To set up SSO, you must have Administrator access to your organization's PubSub+ Cloud account and the ability to create applications with your identity provider.

To configure SSO for your PubSub+ Cloud account, you perform these tasks:

• Request a subdomain from Solace.
• Create an application with your OIDC-based identity provider. See Configuring an OpenID Connect Identity Provider .
• Enable SSO.
• Optionally, configure group management to dynamically add users to groups with assigned roles based on the user claims received from the identity provider (IdP). See Configuring Group Management.
• Optionally, configure SSO for event broker services. See Configuring Single Sign-On for Event Broker Services.

Requesting a Subdomain

To set up SSO, you require a subdomain for your PubSub+ Cloud account. Your identity provider uses the subdomain to accept authentication requests.

If your company has more than one PubSub+ Cloud account and you use the same identity provider for the accounts, you can also use the same subdomain for each account. When you use the same subdomain for more than one account, you designate one of the accounts as the primary account for configuring your SSO settings.

When you use the same subdomain for two or more accounts, role-based access is still managed separately for each account, but users can switch between the accounts that they have access to without logging in again from the Navigation bar in the Cloud Console.

To request a subdomain from Solace, perform these steps:

1. Log in to the PubSub+ Cloud Console if you have not done so yet. The URL to access the Cloud Console differs based on your authentication scheme. For more information, see Logging into the PubSub+ Cloud Console.
2. On the navigation bar, click User & Account and then select Account Details.
3. Select the Account Settings tab.
4. Click Set Up SSO.
   
5. Enter the subdomain name you want to request in the Preferred subdomain field and add any additional comments. If you want to use a subdomain that you're already using in another PubSub+ Cloud account, enter your existing subdomain.

   

6. Click Send Request.

Enabling SSO

After Solace completes your subdomain request, additional SSO configuration options appear in your account details. If you have used the same subdomain for more than one account, the settings appear only in the account that you designated as the primary account when you requested the subdomain.

You need the following information from your identity provider to configure your SSO settings:

• Client ID
• Client Secret
• OIDC Discovery URL
• If you are setting up group management, the claim values that you can map to specific user groups and any additional scopes that PubSub+ Cloud should request from the IdP

By default, PubSub+ Cloud requests the "openid" and "email" scopes from the IdP. You can configure many IdPs to automatically include additional claims in the identity token that you can use for group management. However, for certain configurations, PubSub+ Cloud may need to explicitly request additional information (scopes). In these cases, you can specify the additional scopes in your SSO configuration.

For more information about configuring your identity provider, see Configuring an OpenID Connect Identity Provider .

To enable SSO for your PubSub+ Cloud account, perform these steps:

1. On the Account Settings tab, click Configure Settings.
2. Enter the Client ID, Client Secret, and OIDC Discovery URL for the identity provider.

   

3. If necessary for your implementation, enter any Additional Scope(s) that you need to receive user claims for. For example, if you intend to configure role mapping you may need to receive claims for the Groups scope.
4. Click Save Settings.
   
5. (Optional) To test your SSO configuration, click Test Configuration. The test opens a new window and redirects you to your SSO provider.
6. Click Enable SSO to turn on SSO for the account.

After you enable SSO, you can update your SSO configuration as necessary. To delete your SSO setup or temporarily disable it, contact Solace.