Single Sign-On
This page describes how to use the Single Sign-On Plugin that is provided by the Management Center for the Pro Edition of Eclipse Mosquitto (MMC).
Overview
Single Sign-On is a widely accepted authentication scheme that allows the login process in the Management Center to happen on the side of your identity provider of choice. This allows your users to have only a single account for all of your internal systems, which boosts user experience and transfers the responsibility of handling user credentials to the identity provider, which is specifically designed to store user accounts data with the maximum possible security level.
Management Center currently supports a SAML-based SSO.
Mosquitto Management Center uses the mail field of the user object passed from the identity provider as a unique
username for logging this user in. No more data for the user object from the Identity Provider is required.
This can, however, be changed if your requirements are different.
Enable SSO Plugin
To enable the plugin, you should make sure you are using Pro Edition of Mosquitto and that you have the User Management
feature enabled in your license. Also, ensure that your config file (specified with CEDALO_MC_PROXY_CONFIG
environmental variable or by default saved in management-center/config/config.json) contains the following entry
inside of the plugins array:
{
"name": "saml-sso"
}
Also, you need to specify the following environmental variables for the SAML SSO configuration:
CEDALO_MC_SSO_USERNAMECEDALO_MC_SSO_ENTRY_POINT_URLCEDALO_MC_SSO_LOGOUT_URLCEDALO_MC_SSO_HOST_URLCEDALO_MC_SSO_ISSUERCEDALO_MC_SSO_ISSUERCEDALO_MC_SSO_KEY_PATH
You can read more about these variables below.
SSO plugin needs to have an initial admin user configured, using which you will be able to access the Management Center
initially. You can configure this user using CEDALO_MC_SSO_USERNAME variable
On start-up, the Management Center will print a message that the saml-sso plugin is enabled and loaded into the
console:
Loaded plugin: "saml_sso" (Cedalo SAML SSO)
To use the users coming from the Identity Provider with the Management Center, you will need to populate
the users.json file with valid user objects that have username filed equal to the mail field in your identity
provider (this is the only field which is required). Meaning that you have to tell Mangement Center which users coming
from your Identity Provider can access it. The populating can be done through the normal user creation process in the
User Management tab or using the User Management REST API.
SSO Environment variables
CEDALO_MC_SSO_USERNAME - As per default configuration this should be an email address of the user that exists in your
Identity provider and will be used as an admin to initially access the Management Center.
CEDALO_MC_SSO_ENTRY_POINT_URL - Path to where the Service Provider should send the Login Request (URL used for logging
in). You can get it from your Identity Provider.
CEDALO_MC_SSO_LOGOUT_URL - Path to where the Service Provider should send the Logout Request (in AzureAD, it's usually
the same as the URL used for login, e. i. CEDALO_MC_SSO_ENTRY_POINT_URL)
CEDALO_MC_SSO_HOST_URL - Host URL of the Service Provider (to what host should the Identity Provider redirect the
Login Response)
CEDALO_MC_SSO_ISSUER - Issuer field in the Identity provider (Entity ID in AzureAD)
CEDALO_MC_SSO_KEY_PATH - Required if you want to use client assertion flow. Path to key file (.pem). (In case of the
AzureAD, it can be downloaded from the AzureAD SP metadata page)
Disabling SSO
Note that SSO plugin does not work together with the base login plugin.
If you want to disable SSO for some reason and enable base login, you will need to find the config file located in the
path specified with CEDALO_MC_PROXY_CONFIG environmental variable or by default stored
in management-center/config/config.json or if you are using rpm
package: /var/opt/cedalo/management-center/config/config.json and manually delete saml-sso entry under plugins.