Authentication and Authorization to PubSub+ Cloud
Users must be authenticated and authorized to the PubSub+ Cloud to create event broker services, monitor event broker services, and design an event-driven architecture. The PubSub+ Cloud's account and user management system allows you to efficiently manage user accounts and assign permissions using roles that allow users to access the different categories of services in PubSub+ Cloud to manage your event-driven architecture (EDA). For more information, about user accounts and roles, see User-centric and Role-based Access.
Authentication and Authorization of PubSub+ Cloud can also be integrated with your organization's existing identity management system if it supports OpenID Connection to enable Single Sign-On (or SSO). For more information, see PubSub+ Cloud Console Authentication using SSO.
In addition to users, client applications can be given access to perform management tasks. Authentication and authorization is handled using API tokens created by users in the PubSub+ Cloud Console. For more information, see API Tokens for Client Applications.
Authentication and authorization to access to event broker services is also configurable. You can also directly access event broker services from PubSub+ Broker Manager. For more information, see Accessing PubSub+ Broker Manager.
Client application access is handled separately and is configured at the granularity of an event broker service. For information about client authentication and authorization, see Client Application Connectivity and Security.
There are built-in roles that are available on accounts. The permissions and roles for a user are assigned on a per account (workspace) basis. The granularity of the permissions authorizes a user to perform specific actions in the account. These fine-grained permissions permit for authenticated users to:
- orchestrate and manage event broker services
- manage event meshes
- design your event-driven architecture (EDA),
- monitor your deployment of PubSub+ Event Broker: Cloud and access advanced monitoring capabilities
- modify billing for the account
- manage users, permissions, and account settings
For information about roles and permissions, see Roles and Permissions.
It is important to note that the Administrator role must be provided to at least one user in an account, which permits that user to manage access within the account. Users can have different permissions on different accounts. This allows the same user to have different access based on the account selected.
For example, a single user account can be used to authenticate, but in one account that user may be authorized to create event broker services, but on another account, may not have that permission. For information about accounts, assigning roles, and setting permissions, see User Management .
Solace recommends the integration of PubSub+ Cloud with an organization's existing central identity management system when it's based on OpenID Connect. This integration provides single-sign on (SSO) for your organization's users and effectively presents PubSub+ Cloud as another service that users are authorized to use.
SSO can make user management and identity management more secure, easier to use, and gives your organization better control over user profiles. For example, changes to your organization's security strategy will seamlessly apply to users who access PubSub+ Cloud. SSO integration is supported for various providers that includes Azure Active Directory (AD), Okta, PingOne, and Auth0. For more information about integration to SSO, see PubSub+ Cloud SSO with OpenID Connect .
For more information setting up SSO with OpenID Connect, see PubSub+ Cloud SSO with OpenID Connect .
You can access event broker services directly using PubSub+ Broker Manager. For more information about PubSub+ Broker Manager, see PubSub+ Broker Manager.
Access to the event broker service is handled through credentials that are generated when an event broker service is created. By default, a user with the Administrator or the Edit Cluster Manager role in the account is pre-authenticated to access PubSub+ Event Broker: Cloud through the PubSub+ Cloud Console. Pre-authenticated access to PubSub+ Broker Manager can be disabled for an entire account which forces users to enter the credentials manually. For more information, see Pre-Authentication for PubSub+ Broker Manager.
Regardless of whether you enable or disable Pre-authentication Security, if your event broker services are deployed in a private network [customer-controlled Virtual Private Cloud/Virtual Network (VPC/VNet)], it is possible that you can connect from a public IP address to the PubSub+ Cloud Console (outside of your private network) to create and configure event broker services, but cannot connect to PubSub+ Broker Manager.
The reason for this is because the ability to connect to PubSub+ Broker Manager depends on the networking configuration of your private network (i.e., most private networks use 10.x.y.z, 172.x.y.z, or 192.x.y.z as IP addresses which are not accessible from a public network). If your network configuration permits it, you may connect to PubSub+ Broker Manager when it's deployed in a private network if you:
- use a VPN connection such as a VPN client on your computer (or AWS VPN) to connect to the VPC/VNet
- have VNet peering (Azure) or VPC peering (AWS) configured between the network from where you're connected, to the private network where the event broker services are deployed
- have a DNS mapping from the event broker service to your private network. Contact Solace to configure this DNS mapping request
Client applications can be authenticated and authorized to perform management operations (e.g., create event broker services or for continuous integration and development (CI/CD) functions) via the PubSub+ Cloud APIs. This capability is useful in large-scale deployments that require automation to obtain efficiencies and better integrations with other enterprise systems.
API key control for authentication and authorization to PubSub+ Cloud is provided with API tokens. These API tokens that can be generated on an per account basis to authenticate and authorize client applications to perform management actions on an account.
Users can generate API tokens in the PubSub+ Cloud Console. The permissions that a user can assign to the generated API token is a subset of the permissions that they have in an account (Workspace). In other words, a user cannot create an API token with permissions over and beyond what they have been assigned.
The user can also revoke an API token at any time. These API tokens permit for finer-grained control of permissions for client applications than the roles assigned to a user profile. For more information about the permissions and API tokens, see Managing API Tokens.