Skip to main content
Version: Mosquitto 2.9

Single Sign-On


This page describes how to use the Single Sign-On Plugin that is provided by the Management Center for the Pro Edition of Eclipse Mosquitto (MMC).


Single Sign-On is a widely accepted authentication scheme that allows the login process in the Management Center to happen on the side of your identity provider of choice. This allows your users to have only a single account for all of your internal systems, which boosts user experience and transfers the responsibility of handling user credentials to the identity provider, which is specifically designed to store user accounts data with the maximum possible security level.

Management Center currently supports a SAML-based SSO.


Mosquitto Management Center uses the mail field of the user object passed from the identity provider as a unique username for logging this user in. No more data for the user object from the Identity Provider is required. This can, however, be changed if your requirements are different.

Enable SSO Plugin

To enable the plugin, you should make sure you are using Pro Edition of Mosquitto and that you have the User Management feature enabled in your license. Also, ensure that your config file (specified with CEDALO_MC_PROXY_CONFIG environmental variable or by default saved in management-center/config/config.json) contains the following entry inside of the plugins array:

"name": "saml-sso"

Also, you need to specify the following environmental variables for the SAML SSO configuration:


You can read more about these variables below.


SSO plugin needs to have an initial admin user configured, using which you will be able to access the Management Center initially. You can configure this user using CEDALO_MC_SSO_USERNAME variable

On start-up, the Management Center will print a message that the saml-sso plugin is enabled and loaded into the console:

Loaded plugin: "saml_sso" (Cedalo SAML SSO)

To use the users coming from the Identity Provider with the Management Center, you will need to populate the users.json file with valid user objects that have username filed equal to the mail field in your identity provider (this is the only field which is required). Meaning that you have to tell Mangement Center which users coming from your Identity Provider can access it. The populating can be done through the normal user creation process in the User Management tab or using the User Management REST API.

SSO Environment variables

CEDALO_MC_SSO_USERNAME - As per default configuration this should be an email address of the user that exists in your Identity provider and will be used as an admin to initially access the Management Center.

CEDALO_MC_SSO_ENTRY_POINT_URL - Path to where the Service Provider should send the Login Request (URL used for logging in). You can get it from your Identity Provider.

CEDALO_MC_SSO_LOGOUT_URL - Path to where the Service Provider should send the Logout Request (in AzureAD, it's usually the same as the URL used for login, e. i. CEDALO_MC_SSO_ENTRY_POINT_URL)

CEDALO_MC_SSO_HOST_URL - Host URL of the Service Provider (to what host should the Identity Provider redirect the Login Response)

CEDALO_MC_SSO_ISSUER - Issuer field in the Identity provider (Entity ID in AzureAD)

CEDALO_MC_SSO_KEY_PATH - Required if you want to use client assertion flow. Path to key file (.pem). (In case of the AzureAD, it can be downloaded from the AzureAD SP metadata page)

Disabling SSO


Note that SSO plugin does not work together with the base login plugin.

If you want to disable SSO for some reason and enable base login, you will need to find the config file located in the path specified with CEDALO_MC_PROXY_CONFIG environmental variable or by default stored in management-center/config/config.json or if you are using rpm package: /var/opt/cedalo/management-center/config/config.json and manually delete saml-sso entry under plugins.