Integrating Azure Active Directory (AD) with PubSub+ Cloud
You can integrate your organization’s Azure Active Directory (AD) with PubSub+ Cloud to enable single sign-on (SSO) and multi-factor authentication (MFA) for your enterprise accounts.
After you have configured Azure AD, your organization will receive a customized URL to log in to PubSub+ Cloud. If your users have already signed in to their Azure AD account, they will automatically be signed in to PubSub+ Cloud. Otherwise they will be directed to your organization's AD sign-in page to enter their details. You organization's AD settings determine whether multi-factor authentication (MFA) is used.
If a user belongs to multiple PubSub+ Cloud accounts that are associated with your organization's AD, they can switch between those accounts without logging in to the accounts separately.
Authenticating PubSub+ Cloud Users with Azure AD
To authenticate the user, PubSub+ Cloud uses OAUTH2.0 with OpenID Connect 1.0. PubSub+Cloud receives an OpenID Connect ID 1.0 token from the user, and also an OAuth2.0 token when the user authenticates through Azure. These tokens provide PubSub+ Cloud access to the Azure AD Graph API. PubSub+ Cloud uses the Graph API to retrieve the user's information from Azure AD to provide the appropriate access.
The authentication process with Azure AD is shown in the following diagram:
Configuring PubSub+ Cloud with Azure AD
To integrate with Azure AD with PubSub+ Cloud, perform the following steps:
- Open a support ticket to request to have SSO enabled on your account.
The PubSub+ Cloud Production Engineering team enables SSO and provides you with your organization ID. Use this ID in the next step.
- Register PubSub+ Cloud as an Azure AD Application.
- Provide the PubSub+ Cloud Production Engineering team with the following values from the previous step:
- Application (client) ID
- Directory (tenant) ID
- PubSub+ Cloud secret
The PubSub+ Cloud Production Engineering team completes the set up.
When you set up an Application Registration for PubSub+ Cloud in your Azure AD account, Azure generates a Client ID and a Client Secret that you use to bind your PubSub+ Cloud account to your Azure AD. This allows your organization's PubSub+ Cloud users to be authenticated by Azure AD.
To register PubSub+ Cloud as an application in Azure AD:
- In the Azure Portal, in the left-hand navigation pane, select Azure Active Directory.
The Azure Active Directory page opens.
- Select Application Registration from the left-hand menu, then click New Registration.
The Register an application page opens.
- In the Name field, enter
Solace Cloud. Under Supported account types, select Accounts in this organizational directory only. In the Redirect URI (Optional) field, enter
orgNameis the organization ID provided to you by the PubSub+ Cloud Production Engineering team.
- Click Register at the bottom of the screen.
The application registration is created in your Azure AD and the Application Overview page is displayed, showing the Application (client) ID and the Directory (tenant) ID values. Make a note of these values because the PubSub+ Cloud Production Engineering team will need them to complete the configuration.
- Click View API Permissions. The API Permissions page is displayed.
- From the API Permissions page, select Microsoft Graph.
- On the Request API permissions dialog, select Delegated Permissions.
- In the list of permissions that is displayed, do the following:
- Select email, openid, and profile.
- Scroll down and expand Directory, then select Directory.AccessAsUser.All.
- Scroll down and expand User, then select User.Read.
- Click Update permissions.
- Click Grant admin consent for Solace Cloud, then click Yes to confirm. Note that you must be an administrator of the directory to do this.
The page is updated to confirm that admin consent was successfully granted.
- In the left-hand menu, click Certificates &secrets.
- Create a Client Secret by clicking New client secret. The Add a client secret dialog is displayed.
- In the Add a client secret dialog, enter a description for the PubSub+ Cloud secret, then select an expiry period. Note that if you don't pick Never, you will need to update the secret key periodically.
- Click Add. Make a note of the secret because the PubSub+ Cloud Production Engineering team will need it to complete the configuration.