Identity Providers and SSO Authentication

AutoMQ supports configuring enterprise identity providers using the SAML protocol, allowing you to manage and authenticate AutoMQ environment members through your existing identity provider (hereinafter referred to as Identity Provider, IdP) without needing to use AutoMQ local usernames and passwords.

After enabling SSO in AutoMQ, you can manage all users in one place and allow users to log in to AutoMQ using their existing SSO credentials.

Prerequisites

The AutoMQ console by default provides an initial admin member and local member login method. To enable SSO login, the following conditions must be met:

• The company's IdP must support SAML 2.0 protocol. AutoMQ does not currently support the OIDC protocol.

• Enterprise IdP needs to clearly identify each unique user.

• The usernames provided by the Enterprise IdP must not conflict with the local member names in AutoMQ. Refer to Member Accounts▸.

Usage Limitations

When using Enterprise IdP for SSO login in the AutoMQ Console, the following limitations apply:

• Each AutoMQ Console only supports the configuration of a single Enterprise IdP and does not currently support multiple identity sources.

• After configuring the IdP, SSO is enabled by default, but the local user login method is still supported. Environment administrators can manage SSO through local login.

• If the IdP is deleted, SSO is disabled by default, and existing SSO members will not be deleted and need to be manually removed.

• Conversion between SSO members and local members is not currently supported.

• SAML Session logout protocol is not currently supported.

Configuring Enterprise Identity Providers and SSO.

Step 1: Configure AutoMQ Console Domain Name

Before configuring IdP and enabling SSO login, the environment admin needs to set up the domain name for the AutoMQ console. This ensures that enterprise users can access the AutoMQ console via their browsers using the specified domain name. The configuration steps are as follows:

1. The enterprise admin clicks the Settings menu.

2. On the settings page, click Add Console Domain Name.

3. Enter the domain name, port, and protocol that the console will use to provide services to users.

Enterprise users who require the use of the HTTPS protocol are recommended to mount the console domain onto a front load balancing service such as ALB to complete the TLS protocol offloading.

4. Once setup is complete, conduct a connectivity test.

Step 2: Obtain SP Information from the AutoMQ Console

An AutoMQ environment administrator (a member authorized with the environment administrator role) should view the AutoMQ SP information and provide it to the enterprise IdP administrator. Follow these steps:

1. Click on the Access and Control section in the navigation bar. Then click Add IdP.

2. Select Console External Domain.

3. View the identity information of the AutoMQ console as a Service Provider (SP). Submit the SP information to the enterprise IdP administrator for entry. The administrator can manually copy the information or download the metadata file directly.

   1. SP EntityID: A unique identifier for the AutoMQ console.

   2. Assertion Consumer Service URL: The ACS URL is the unique address where AutoMQ, as an SP, receives SAML Responses, and it needs to be configured on the IdP.

   3. AutoMQ SP Certificate: The certificate used to declare AutoMQ's signed requests.

Step 3: Configure AutoMQ Service in Enterprise IdP

After obtaining the SP information in Step 2, the enterprise IdP administrator needs to configure the SP information of the AutoMQ console into the IdP service. The operations for this step vary depending on the IdP service. Below are common configuration methods for IdP.

Auth0

1. Log in to the Auth0 account.

2. Select Applications.

3. Click Create Application.

4. Enter the application name.

5. Select Regular Web Applications and click Create.

6. Once the application is created, navigate to the Addons settings page to enable SAML2.0 configuration.

7. Click on the SAML 2 WEB APP option to open the settings page, and configure the following parameters:

   1. In the Application Callback URL parameter box, set the ACS URL obtained from the AutoMQ console.

8. Click Enable and save.

9. On the Usage Tab page, record the Identity Provider Login URL, Issuer URN, and Identity Provider Certificate information for use in Step 4 for IdP information entry.

OKTA

10. In the Okta admin console, navigate to Applications.

11. Click Add Application to start creating a custom application.

12. Select the SAML 2.0 application type.

13. Enter App Name, and click Next.

14. Configure the SP-related parameters according to the instructions below, and click Next.

    1. Single sign-on URL: Enter the ACS URL provided by the SP from the second step.

    2. Audience URI (SP Entity ID): Enter the SP Entity ID provided by the SP from the second step.

    3. Name ID format: Fill in the unique identifier field according to your organization's standards, with the email address being the recommended option.

    4. Application username: According to the enterprise standard, fill in the unique identifier field. It is recommended to use the OKTA username.

6. Click "Finish" to complete the SP entry. Click to download the metadata configuration file, which will be used to complete the IdP information in Step 4.

Note:

After creating a new application in OKTA, users who have not been assigned to this OKTA application by default cannot use the AutoMQ application. Therefore, it is recommended to allocate the application to relevant users based on requirements.

Step 4: Complete IdP Entry in the AutoMQ Console

After configuring the enterprise IdP, the IdP information needs to be recorded in the AutoMQ console to complete the connection. The AutoMQ console supports manual entry and direct upload of metadata files. The required information is as follows:

• IdP Alias: This is used to distinguish the information of the IdP. It supports English and Chinese letters, numbers, hyphens, and underscores, with a length limit of 3-64 characters.

• IdP Entity ID: This is the unique identifier used to recognize the IdP.

• IdP SSO URL: This is the unique login address assigned by the IdP to the AutoMQ console.

• IdP Certificate: This is the certificate information used by the IdP to sign and encrypt SAML responses.

• UserID Mapping (Optional): AutoMQ extracts the unique user ID attribute from the SAML response. If not set, the default value will be used.

• UserName Mapping (Optional): AutoMQ extracts the displayed environment member name attribute from the SAML response. If not set, it will be the same as UserID.

• Session Expiration Time Mapping (Optional): AutoMQ extracts the session expiration time attribute from the SAML response. If not set, it will default to 6 hours.

Advanced attribute field settings are as follows:

Step Five: SSO User Login

Once IdP input and SSO configuration are complete, the AutoMQ console can be accessed using SSO login.

Note:

When a new user logs in directly using SSO, they will, by default, have no permissions to operate within the environment and will require authorization from an environment administrator to access specific resources.

Environment administrators can also pre-create SSO members and assign predefined roles to them, allowing these SSO members to operate the console normally upon subsequent logins.