This page describes how to use the Single Sign-On Plugin that is provided by the Management Center for the Pro Edition of Eclipse Mosquitto (MMC).
Single Sign-On Overview
Single Sign-On is a widely accepted authentication scheme that allows the login process in the Management Center to happen on the side of your identity provider of choice. This allows your users to have only a single account for all of your internal systems, which boosts user experience and transfers the responsibility of handling user credentials to the identity provider, which is specifically designed to store user accounts data with the maximum possible security level.
Management Center currently supports a SAML-based SSO.
Mosquitto Management Center uses the
Enable SSO Plugin
To enable the plugin, you should make sure you are using Pro Edition of Mosquitto and that you have the User Management feature enabled in your license. Also, ensure that your config file (specified with
CEDALO_MC_PROXY_CONFIG environmental variable or by default saved in
management-center/config/config.json) contains the following entry inside of the
Also, you need to specify the following environmental variables for the SAML SSO configuration:
You can read more about these variables below.
SSO plugin needs to have an initial admin user configured, using which you will be able to access the Management Center initially. You can configure this user using
On start-up, the Management Center will print a message that the
saml-sso plugin is enabled and loaded into the console:
Loaded plugin: "saml_sso" (Cedalo SAML SSO)
To use the users coming from the Identity Provider with the Management Center, you will need to populate the
users.json file with valid user objects that have
username filed equal to the mail field in your identity provider (this is the only field which is required). Meaning that you have to tell Mangement Center which users coming from your Identity Provider can access it. The populating can be done through the normal user creation process in the User Management tab or using the User Management REST API.
SSO Environmental variables
CEDALO_MC_SSO_USERNAME - As per default configuration this should be an email address of the user that exists in your Identity provider and will be used as an admin to initially access the Management Center.
CEDALO_MC_SSO_ENTRY_POINT_URL - Path to where the Service Provider should send the Login Request (URL used for logging in). You can get it from your Identity Provider.
CEDALO_MC_SSO_LOGOUT_URL - Path to where the Service Provider should send the Logout Request (in AzureAD, it's usually the same as the URL used for login, e. i.
CEDALO_MC_SSO_HOST_URL - Host URL of the Service Provider (to what host should the Identity Provider redirect the Login Response)
CEDALO_MC_SSO_ISSUER - Issuer field in the Identity provider (Entity ID in AzureAD)
CEDALO_MC_SSO_KEY_PATH - Required if you want to use client assertion flow. Path to key file (.pem). (In case of the AzureAD, it can be downloaded from the AzureAD SP metadata page)
Note that SSO plugin does not work together with the base login plugin.
If you want to disable SSO for some reason and enable base login, you will need to find the config file located in the path specified with
CEDALO_MC_PROXY_CONFIG environmental variable or by default stored in
management-center/config/config.json or if you are using rpm package:
/var/opt/cedalo/management-center/config/config.json and manually delete
saml-sso entry under