About Identity Management

As the Anypoint Platform organization administrator, you can configure identity

management in Anypoint Platform to set up users for single sign-on (SSO). An
organization can have up to 25 external identity providers, or IdPs, configured for
SSO. Configure identity management using one of the following single sign-on
standards:
o OpenID Connect: End user identity verification by an authorization server including
SSO
o SAML 2.0: Web-based authorization including cross-domain SSO

The following diagram shows the SAML identity management process:

Before configuring OpenID Connect or SAML 2.0, select an OpenID Connect-

compliant provider, such as PingFederate, OpenAM, or Okta. If you are not using
OpenID Connect, select any SAML 2.0-compliant provider.
The following SAML providers are fully supported:
o Salesforce
o PingFederate (versions: 6, 7, 8)
o OpenAM (version: 14)
o Okta
The following SAML providers are known to work, but aren’t actively tested:
o Active Directory Federation Services (AD FS)
o Shibboleth
o onelogin
o CA Single Sign-On
o SecureAuth
The following providers are fully supported to work with OpenID Connect:
o Salesforce
o PingFederate (versions: 6, 7, 8)
o OpenAM (version: 14)
o Okta
After you select an identity provider:
o Set up your Anypoint Platform organization as your audience in your identity provider
configuration.

The IdP you select is effective for the entire organization and all business groups.

o Configure identity management in the Anypoint Platform root organization.

o Configure attribute names on the IdP and Anypoint Platform to match.
For more information, see the documentation for your identity provider.

Managing Users with an External

Identity Provider
After configuring external identity management, you must add new SSO users using
your external identity management solution and internal provisioning process. If you
use the Invite User feature to add users to your organization after you have
configured an identity provider, the credentials for these users are stored locally in
your organization rather than with the identity provider.
Users that log in with SSO are new users to the system. If the new user has the
same username as a user that already exists in your Anypoint Platform organization,
the new user co-exists with the original user with the same username. Users with the
same username are managed independently from one another.

Configure OpenID Connect

Identity Management
This task topic covers two identity management procedures for client registration in
OpenID Connect:
o Dynamic registration
o Manual registration
MuleSoft verifies support in Anypoint Platform for the following registrations:
o Clients created dynamically in Okta and OpenAM
o Clients created manually in Salesforce, Okta, OpenAM, and PingFederate
Please note, that although integration with the aforementioned Identity providers
have been officially tested, Anypoint platform supports the OpenID Connect Protocol.
This means that, any Identity Provider that supports the protocol should be able to
integrate unless they diverge from the specification.
 If you already configured Anypoint Platform as a client application in your identity
provider, perform manual registration. Otherwise, if your identity provider supports
dynamic client registration, perform dynamic registration. During registration, you
need to provide several URLs. The following table contains examples of the URLs
you need to provide, depending on your provider, during registration.

URL
PingFederate
Nam Okta Example URL Salesforce Example URL OpenAM Example URL
Example URL
e

Base https:// https:// https:// https://

example.okta.com/ domain.my.salesforce.com example.com/ example.com
oauth2/v1 /services/oauth2 openam/oauth2 :9031

Clie {BASE URL}/clients {BASE URL}/clients {BASE N/A

nt URL}/connect/register
Regi
strati
on
Auth {BASE URL}/authorize {BASE URL}/authorize {BASE URL}/authorize {BASE
orize URL}/as/author
ation.oauth2
Tok {BASE URL}/token {BASE URL}/token {BASE {BASE
en URL}/access_token URL}/as/token.
auth2
User {BASE URL}/userinfo {BASE URL}/userinfo {BASE URL}/userinfo {BASE
Info URL}/idp/userin
o.openid

Configure OpenID Connect Dynamically

1. Log in to Anypoint Platform using an account that has the Organization Administrator
permission.
2. In the navigation bar or the main Anypoint Platform page, click Access
Management.
3. In the Business Groups menu, select your root organization.
4. In the Access Management navigation menu, click Identity Providers.
5. In the Identity Management page, select OpenID Connect.
The External Identity - Identity Management OpenID Connect form appears.
6. Fill in the following required fields after obtaining values from your identity provider’s
configuration:
o Client Registration URL
The URL to dynamically register Anypoint as a client application for your identity provider.
o Authorize Header
 The authorization header for dynamic client registration request. This is an optional field under
the Advanced Settings link. This header is required if the provider restricts registration requests
to authorized clients.
o Okta: This value is  SSWS ${api_token} , where  api_token  is an API token created through
Okta.
o OpenAM: This value is  Bearer ${api_token} , where  api_token  is an API token created
through OpenAM.
o Authorize URL
The URL where the user authenticates and grants OpenID Connect client applications access to
the user’s identity.
o Token URL
The URL that provides the user’s identity encoded in a secure JSON Web Token.
o User Info URL
The URL that returns user profile information to Anypoint.

7. Save your configuration.

8. Sign out and navigate to your organization’s SSO URL, for example:
https://anypoint.mulesoft.com/accounts/login/{yourOrgDomain}

9. Log in through your identity provider to test the configuration.

The dynamically registered application at the identity provider has only default settings. If you want to
configure additional functionalities (such as group mappings), you must update the settings on the
provider side. Configuring dynamically registered applications is not currently supported.

Configure OpenID Connect Manually

1. Log in to Anypoint Platform using an account that has the Organization Administrator
permission.
2. In the navigation bar or the main Anypoint Platform page, click Access
Management.
3. In the Access Management navigation menu, click Identity Providers.
4. From Identity Management, select OpenId Connect.
The External Identity - Identity Management OpenID Connect form appears.
5. Click  Use manual registration  under Client Registration URL.
6. Create a client application for the Anypoint Platform inside your Identity Provider.
o Your Identity Provider requires a redirect URI for redirecting authenticated users. Use the
automatically generated redirect URI above the Client ID field.
o Inside your Identity Provider, ensure that your client’s supported scopes
include  openid ,  profile , and  email .
o Inside your Identity Provider, ensure that your client uses the  authorization_code  grant type.
o Store your Client ID and Client Secret values in a secure place and enter these values in the next
step.
7. Fill in the following required fields after obtaining them from your identity provider’s
configuration:
o Client ID
The unique identifier that you provided for your manually created client application.
o Client Secret
The password, or secret, for authenticating your Anypoint Platform client application with your
Identity Provider.
o Authorize URL
The URL where the user authenticates and grants OpenID Connect client applications access to
the user’s identity.
o Token URL
The URL that provides the user’s identity encoded in a secure JSON Web Token.
o User Info URL
The URL that returns user profile information to the client app.
o OpenID Connect Issuer

The location of the OpenID Provider. For most providers,  /.well-known/openid-

configuration  is appended to the issuer to generate the metadata URL for openID Connect
specifications. For Salesforce, you must provide the value for  issuer .

8. Save your configuration.

9. Sign out and navigate to your organization’s SSO URL, for example:
https://anypoint.mulesoft.com/accounts/login/{yourOrgDomain}

10. Log in through your identity provider to test the configuration.

Configure LDAP in Anypoint

Platform Private Cloud
The following procedure describes how to configure user management using LDAP
version 3 for the Private Cloud Edition of Anypoint Platform. User management
through LDAP is only available for the Private Cloud Edition.
1. From Anypoint Platform, click Access Management > External Identity.
A form for configuring LDAP appears.
2. In the LDAP configuration form, set the connection settings for your LDAP service.
o Host
The host name of your LDAP server. If you are using TLS in your ldap server,
use  ldaps://mulesoft.com  use this host name:  ldap://mulesoft.com

o Port

The port used to communicate to your LDAP server. The default ldap port is  389 . The default
ldaps port is  636 .

o Self-Signed Cert
 Mark this check box if you are using a self-signed certificate on your LDAP server. Use a Self-
Signed certificate for testing your connection to the LDAP server.
o Bind DN
The distinguished names for the user making the LDAP queries. For
example,  uid=admin,ou=people,dc=mulesoft,dc=com .

o Password

The password for the LDAP server. For example, examplepassphrase .

o Connection Timeout

The timeout frame (in seconds) for a connection. For example,  10 .

o Operation Timeout

The timeout frame (in milliseconds) for an operation. For example,  30000 .

3. Set up search bases and filters

o User
The base level for your user search base object. For
example,  uid=admin,dc=mulesoft,dc=com .

Group
The base level for your groups search base object. For
example,  ou=groups,dc=mulesoft,dc=com .

4. Set the distinguished names for your user and group

o User
The distinguished name for your user search base object. For
example, uid={{username}},ou=people.dc=mulesoft,dc=com .

o Group
The distinguished name for your groups search base object. For
example,  ou=groups,dc=mulesoft,dc=com .

o Search filters
o User by Username
The search filter to find users by user name. For
example,  (&(objectClass=inetOrgPerson)(uid={{username}})) .

o User by Email

The search filter to find users by email. For example,  (&(objectClass=inetOrgPerson)

(mail={{email}})) .

o Group by GroupName
The search filter to find groups by groupName. For
example,  (&(objectClass=groupOfNames)(cn={{groupName}})) .

o User’s Groups by Username

 The search filter to find user groups by userName. For
example,  (&objectClass=GroupOfNames)
(member=uid={{username}},ou=people,dc=mulesoft,dc=com)) .

5. Map the User fields

o Username

Field that represents the user name. For example,  uid .

o Email

Field that represents the email. For example,  mail .

o First Name

Field that represents the first name. For example,  givenName .

Last Name
Field that represents the last name. For example,  sn .

o ID

ID for your user. For example,  uid .

6. Map the group fields

o Group Name

Field that represents your Group name. For example, cn .

o ID

Field that represents your groups Id. For example,  bcd6b4c4-aec5-4493-be1b-

8e2e8eecf662 .

7. Save the configuration.

Configure SAML for SSO

Configure SAML to provide external authentication of users and Single Sign-on
(SSO) capability so users don’t need to provide additional credentials when they
access Anypoint Platform.
Configuring SAML for SSO involves:
o Beginning with a configured SAML identity provider (IdP)
o Navigating to and completing the External Identity - Identity Management SAML
2.0 form in Anypoint Platform, and optionally configuring some advanced settings
o Saving and testing your new configuration

Prerequisites
o Your Anypoint Platform organization must be set up as your audience.
o The assertion consumer service must be set to send a  POST  request
to  https://anypoint.mulesoft.com/accounts/login/:org-domain/providers/:prov
 iderId/receive-id .
Note that  :providerId  is available only after you create the provider configuration.

If you are using the Anypoint Platform EU Control Plane, the endpoint
is  https://eu1.anypoint.mulesoft.com/accounts/login/:org-domain/providers/:
providerId/receive-id .
If you are using the Anypoint Platform Gov Cloud, the endpoint
is  https://gov.anypoint.mulesoft.com/accounts/login/:org-domain/providers/:
providerId/receive-id .

Configure SAML in Identity

Management
1. Log in to Anypoint Platform using an account that has the Organization Administrator
permission.
2. In the navigation bar or the main Anypoint Platform page, click Access
Management.
3. In the Access Management navigation menu, click Identity Providers.
4. Select Identity Providers > SAML 2.0.
5. In the Configurations tab, complete the required fields of the Identity Management
SAML 2.0 form:
o Sign On URL

Redirect URL provided by the IdP for signin, for example:  https://example.com/sso/saml .

o Sign Off URL

URL to redirect signout requests, so users both sign out of the Anypoint Platform and have their
SAML user’s status set to signed out.
o Issuer
ID of the identity provider instance that sends SAML assertions.
o Public Key
Public key provided by the identity provider, which is used to sign the SAML assertion. It is the
"X509Certificate" value in the SAML Response.
o Audience
An arbitrary string value that identifies your Anypoint Platform organization. The typical value for
this string is  <organizationDomain>.anypoint.mulesoft.com .

o Single Sign-On Initiation

Specify whether SSO can be initiated by the Anypoint Platform, your identity provider (for
example, Okta), or both.
o The Service Provider Only option allows only the Anypoint Platform to initiate SSO.
o The Identity Provider Only option allows only your external identity provider to initiate SSO.
o The Both option allows either Anypoint Platform or your external identity provider to initiate SSO.
The default value for this setting for newly configured identity provider configurations is Both.
6. Optionally, expand Advanced settings, and provide the following values:
o Username Attribute

Field name in the SAML  AttributeStatements  that maps to username. If no value is

configured, the  NameID  attribute of the SAML  Subject  is used (Note: this is outside the
SAML  AttributeStatements ).

o First Name Attribute

Field name in the SAML  AttributeStatements  that maps to  First Name .

o Last Name Attribute

Field name in the SAML  AttributeStatements  that maps to  Last Name .

o Email Attribute

Field name in the SAML  AttributeStatements  that maps to  Email .

o Group Attribute

Field name in the SAML  AttributeStatements  that maps to  Group .

o Require encrypted SAML assertions

If enabled, the SAML assertions sent from the IdP must be encrypted and follow the guidelines
mentioned in the Prerequisites.

7. Click Create.
8. Log out of Anypoint Platform, navigate to the sign-on URL you entered in
the Identity Management SAML 2.0 form, and then log in through your identity
provider to test the configuration.

Rotate a SAML Key

As a security best practice, many organizations rotate the key used to encrypt SAML
2.0 assertions. With the Key Rotation feature, Anypoint Platform can generate a new
key, or you can upload a public and private key pair (up to three keys). When you
want to rotate a key, you can designate a new primary key in Anypoint Platform and
your IdP, and you can revoke the obsolete key to remove it from the rotation.
The keys that you create or upload to Anypoint Platform must also exist in your IdP.
All keys present in Anypoint Platform can decrypt SAML 2.0 assertions sent by your
IdP. However, only the primary key is used by Anypoint Platform to sign SAML 2.0
AuthnRequests and SLO requests; the primary key must be configured in your IdP to
validate the signatures.

If you are migrating from the default Anypoint Platform SSO certificate to a new certificate, you must
update the Assertion Consumer Service (ACS) URL in your IdP. Only the new ACS URL supports the keys
generated by the key rotation feature. If your ACS URL already follows the pattern
of  …/accounts/login/:org-domain/providers/:providerId/receive-id , you do not
need to change the ACS URL.
 Add Keys for Key Rotation
When you use the key rotation feature, you must have keys available in Anypoint
Platform for your IdP to use. Anypoint Platform enables you to generate new keys or
upload existing public/private key pairs.

Generate a New Key

1. Log in to Anypoint Platform using an account that has the Organization Administrator
permission.
2. In the navigation bar or the main Anypoint Platform page, click Access
Management.
3. In the Access Management navigation menu, click Identity Providers.
4. Next to a SAML 2.0 IdP, click Edit.
5. Click the Anypoint Keys tab.
6. Click + New key and select Generate.
A newly generated key appears in the list of keys.

Upload an Existing Private and Public Key Pair

1. Log in to Anypoint Platform using an account that has the Organization Administrator
permission.
2. In the navigation bar or the main Anypoint Platform page, click Access
Management.
3. In the Access Management navigation menu, click Identity Providers.
4. Next to a SAML 2.0 IdP, click Edit.
5. Click the Anypoint Keys tab.
6. Click + New key, and select Upload.
7. In the Private key field, paste your private key.
8. In the Public key field, paste your certificate.
9. Click Upload.
The key you uploaded appears in the list of keys.

Rotate the Primary Key

Because you can store up to three keys, you must designate a primary key to be
used for signing requests from Anypoint Platform. Before reassigning the primary
key, ensure your IdP can access the key that you intend to use.
1. Log in to Anypoint Platform using an account that has the Organization Administrator
permission.
2. In the navigation bar or the main Anypoint Platform page, click Access
Management.
3. In the Access Management navigation menu, click Identity Providers.
4. Next to a SAML 2.0 IdP, click Edit.
5. Click the Anypoint Keys tab.
6. Next to the key that you want to make primary, click … and select Use as primary
key….
7. Click Apply.
 Revoke a Key
To help ensure security, revoke a key that you have already used as the primary
key. Before you revoke a key, ensure your IdP is not using the key. Note that when
you revoke a public key, Anypoint Platform also revokes the corresponding private
key. For security purposes, you cannot retrieve a key that has been revoked.
1. Log in to Anypoint Platform using an account that has the Organization Administrator
permission.
2. In the navigation bar or the main Anypoint Platform page, click Access
Management.
3. In the Access Management navigation menu, click Identity Providers.
4. Next to a SAML 2.0 IdP, click Edit.
5. Click the Anypoint Keys tab.
6. Next to the key that you want to revoke, click … and select Revoke.
7. Click Revoke.

Import SAML Metadata

When creating a new SAML 2.0 configuration, you can upload an XML file containing
your identity provider’s SAML 2.0 metadata to Anypoint Platform using the Import
IdP Metadata link. Once uploaded, the XML file’s values automatically populate
the Identity Management SAML 2.0 form.
When you upload an XML file to import your metadata:
o The file must be smaller than 16 KB.
o If you upload an XML file that contains more than one entry, Anypoint Platform uses
the first identity provider configuration.
o Anypoint Platform does not check the validity of the values in the XML that you
upload.
Verify that your identity configuration is correct before creating the identity provider
configuration.

Export SAML Metadata

If your identity provider supports uploading service-provider metadata, you can click
the Anypoint service provider metadata link to download your SAML configuration
settings in an XML file. You can then upload this file to your identity provider to
configure Anypoint Platform. Note that you must have a SAML 2.0 identity
configuration to export this data.

SSO Redirect Process Using Cookies

Anypoint Platform uses cookies to ensure that SSO users are redirected to the same
location from which they initiated their login.
1. When a user logs in to Anypoint Platform, a cookie is created for the login
session:  mulesoft.sess=xxxxx .
 The cookie contains the location, such as a public portal, from which the user
initiated the login.
2. The cookie is passed to the user’s browser.
3. The user is directed to their SSO provider for authentication.
4. After the user is authenticated using SSO, the provider directs the user back to
Anypoint Platform with the authorization decision SAML response.
5. The session cookie,  mulesoft.sess=xxxxx , is passed from the browser, which
redirects the user back to the location from which they initiated the login process.
6. After the user successfully logs in to Anypoint Platform, the  mulesoft.sess  cookie
returns to its default value, based on the OWASP standard.
Users can also be redirected based on their permissions. This occurs when:
o The browser does not pass a cookie.