My colleague Victor and I have previously blogged about how to use OAuth and OpenID Connect (OIDC) to authenticate and authorize Solace message format (SMF) clients with PubSub+ Event Broker. In this post I will explain how to use Ping Identity as an identity provider to authenticate and authorize users of PubSub+ Manager using an interactive login. If you’re not familiar, Ping Identity provides federated identity management and self-hosted identity access management (IAM) solutions to web identities and single sign-on solutions.
Connecting a user to PubSub+ Manager using OIDC
The client credential grant type is not appropriate for an interactive application like PubSub+ Manager. The authorization code grant was created for this type of application. Without going into details, the authorization code grant uses a series of re-directs to send the user to the identity provider to enter their credentials and then returned back to the original webpage authenticated and authorized by the identity provider. In this example PubSub+ Manager will be configured for interactive login using Ping Identity as the identity provider.
Step 1: Set up PubSub+ Event Broker
To get started, you’ll need a running instance of PubSub+ to configure. Solace just released support for rootless Podman in PubSub+ release 10.1; this is a good opportunity to try that out at the same time. On my windows laptop, I have an Ubuntu 22.04 installation in WSL2. I installed Podman into my Ubuntu install, following the install instructions provided on the Podman webpage.
Before creating the rootless instance of PubSub+ using Podman, there is a bit of prep that needs to be done. To do an OAuth / OIDC login, PubSub+ Manager needs to be accessed over TLS and for that you need to configure the PubSub+ instance with a server certificate. For this, generate a simple self-signed certificate (not recommended for a production use-case). Create a file called solace.cnf with the following content:
[req] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext x509_extensions = v3_req prompt = no [req_distinguished_name] countryName = CA stateOrProvinceName = N/A localityName = Ottawa organizationName = Solace emailAddress = firstname.lastname@example.org organizationalUnitName = myorg-unit commonName = solace [req_ext] subjectAltName = DNS:solace, DNS:localhost [v3_req] subjectAltName = DNS:solace, DNS:localhost<
To create the certificate in a format that can be loaded into the PubSub+ instance, issue the following commands:
$ openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout solace.key -out solace.crt -config solace.cnf $ cat solace.crt solace.key > solace.pem
Using the Rootless Podman for Ubuntu Getting Started Guide from https://docs.solace.com as a starting point to create the rootless instance of PubSub+, create a directory to store the state for the PubSub+ container:
$ mkdir /home/<user-name>/storage-group $ podman unshare chown 1000:0 -R /home/<user-name>/storage-group
Then create the container instance mounting the certificate and storage-group inside the container.
podman run -d -u 1000 --shm-size=1g \ -p 8080:8080 -p 55555:55555 -p 1943:1943 \ --env username_admin_globalaccesslevel=admin \ --env username_admin_password=admin \ --net slirp4netns:port_handler=slirp4netns \ --mount type=bind,source=/home/<user-name>/storage-group,destination=/var/lib/solace,relabel=private,ro=false \ --mount type=bind,source=/home/<user-name>/solace.pem,destination=/var/run/secrets/solace.pem,relabel=private,ro=false \ --env tls_server_certificate_filepath=/var/run/secrets/solace.pem \ --name solace docker.io/solace/solace-pubsub-standard:edge
Once that instance starts up, you should be able to point your web browser at https://localhost:1943 to access PubSub+ Manager. The admin password is admin.
That gives us a running instance of PubSub+ that can be configured for interactive login using Ping Identity as the identity provider. The next step is to sign up for a trial account from Ping Identity.
Step 2: Configure Ping
Go to https://www.pingidentity.com and click “Try Ping for Free” to sign up for a 28day free trial. Once your trial is activated, login.
Record the password for later and click “Save”.
Give the group a name and click “Save”.
Configure the “Redirect URLs” to https://localhost:1943/oauth/complete and click “Save”.
Create the groups attribute and map the “Group Names” to it. Check the “Required” box and click “Save”. Don’t forget to enable the client by adjusting the slider at the top.
Select “Message-VPN-Read-Write” to make the user a member of the group. And click “Save”.
Step 3: Configure the broker to authenticate users via Ping
Unfortunately, at time of writing, the configuration for OAuth / OIDC on the PubSub+ broker is not supported in Manager, so the next bit will have to be via CLI. From the shell where the broker instance was created, enter:
$ podman exec -it solace cli
Then enter the following commands.
> enable # configure (configure)# authentication (configure/authentication)# create oauth-profile ping
Next, configure the client-id, client-secret and discovery endpoint (remember these items from the previous steps). Enter the following commands (from configure/authentication/oauth-profile).
(configure/authentication/oauth-profile)# client-id <client-id> (...thentication/oauth-profile)# client-secret <client-secret> (...thentication/oauth-profile)# endpoints (.../oauth-profile/endpoints)# discovery <discovery-endpoint>
Next configure the access levels for the groups created in Ping.
(…/oauth-profile/endpoints)# exit (...thentication/oauth-profile)# access-level (...profile/access-level)# create group Message-VPN-Read-Write (...profile/access-level/group)# message-vpn (...level/group/message-vpn)# create access-level-exception default (...vpn/access-level-exception)# access-level read-write (...vpn/access-level-exception)# exit (...rofile/access-level/group/message-vpn)# exit (...tion/oauth-profile/access-level/group)# exit
The above commands create an access-level group named Message-VPN-Read-Write (this must match the name of the group created in Ping) and give members of this group read-write access to the default message-vpn. Now, do the same for the Global-Access-Read-Write group.
(...profile/access-level)# create group Global-Access-Read-Write (...profile/access-level/group)# global-access-level read-write (...tion/oauth-profile/access-level/group)# exit (...entication/oauth-profile/access-level)# exit
There are a few less obvious bits discovered during debug that also need to be configured to get the setup to work. From the configure/authentication/oauth-profile level, enter the following commands.
(...thentication/oauth-profile)# prompt-for-new-session login (...thentication/oauth-profile)# client ...oauth-profile/client)# create allowed-host localhost:1943 (...thentication/oauth-profile/client)# no validate-type (...thentication/oauth-profile/client)# exit (configure/authentication/oauth-profile)# no shutdown
Enter the username and password, remember that the password originally given to the user was a one-time password so, you will be prompted to enter a new password. Once this is done, you will be redirected back to PubSub+ Manager as an authenticated user that is authorized with read-write access in the default message-vpn (remember the user was added to the Message-VPN-Read-Write group in the Ping portal).
Add the “Global-Access-Read-Write” group to the user and click “Save”. Now log-out from PubSub+ Manager and log back in using Ping. You will again be prompted to enter the user’s credentials, proceed to do this. Now when you are redirected back to PubSub+ Manager, you will see the “System” configuration shows up on the left since the user now has Global-Access-Read-Write access level in addition to read-write in the default message-vpn.
This example demonstrates PubSub+ Manager working with third-party identity provider Ping Identity to implement an interactive login. When a user opts to login using Ping from the PubSub+ login screen, they are redirected to Ping to enter their credentials and then redirected back to PubSub+ Manager with a token that contains the user’s identity and authorized access-level.
For more information, see Configuring OAuth Authentication in Solace documentation.