Configuring an OpenID Connect Identity Provider

To set up single sign-on (SSO) for PubSub+ Cloud, you must configure your OpenID Connect (OIDC)-based identity provider (IdP) to authenticate users for PubSub+ Cloud and to provide the user claim values that PubSub+ Cloud needs.

The exact process for setting up your IdP differs depending on the service provider. To learn how to provide PubSub+ Cloud information to your IdP and get details for PubSub+ Cloud from your IdP, consult your IdP documentation:

Microsoft Entra ID

Okta

Auth0

PingIdentity

Amazon Cognito

Configure Your Identity Provider for PubSub+ Cloud

To configure an OIDC-based IdP, perform these steps:

  1. Create a new OpenID Connect application or app client. The process varies depending on your IdP.
  2. Provide the following settings for the application.
    • Response Type: Code
    • Grant Type: Authorization Code
    • Grants/Claims: Email, openid
    • Redirect URL/URI: https://<subdomain>.solace.cloud/sso/login where the subdomain is provided by Solace.
  3. If you intend to configure Group Management, ensure that the application is configured to provide the claim values that you will map to user groups in PubSub+ Cloud.

    If your IdP can't be configured to automatically provide the required claim, you may need to configure PubSub+ Cloud to request additional scopes during authentication. For example, for Amazon Cognito, if you want to use custom attributes for claim mapping, you need to allow the profile scope and enter profile in the Additional Scope(s) field in PubSub+ Cloud.

  4. If the following settings are required by your IdP, set them as follows:
    • Token Endpoint Authentication Method: Client Secret Basic
    • Start SSO URL/Initiate Login URL: https://<subdomain>.solace.cloud/sso/login where the subdomain is provided by Solace.
  5. If your IdP does not automatically create a client secret, create it manually.
  6. Record the following information, which you need to configure your SSO settings in PubSub+ Cloud:
    • Client ID
    • Client Secret
    • OpenID Connect (OIDC) Discovery URL
    • For group management, the claim values that you want to map to user groups

Once your identity provider is set up, you can finish Enabling SSO for PubSub+ Cloud.