External identity
- 2. • Setting up external identity means that you configure an identity provider (IdP) to authenticate an acting agent (either an user, a client, or both) and then assert to Anypoint Platform that said agent has been validated by it and should be trusted.
- 3. • This means that you can set up: • External identities for user management using SAML 2.0 • External identities for client management using OAuth 2.0 • External identities for both user and client management
- 4. User Management • The Anypoint Platform can be integrated with your organization’s external federated identity system allowing your users to have single sign-on (SSO) access to your Anypoint Platform organization. • In order to configure it, use the SAML configuration instructions in the section below and consult your IdPs specific documentation for instructions on how to apply this configuration for your intended provider.
- 5. Identity Providers • The Anypoint Platform supports SAML 2.0 compliant identity management providers for user management and SSO. • Although any SAML 2.0 compliant provider can be configured for this use, the following IdPs have been successfully tested as working with Anypoint Platform: • Ping Federate • OpenAM • Okta • Shibboleth • ADFS • onelogin • CA SiteMinder • For these providers, the 'Assertion Consumer Service' or 'SAML Assertion URL' is https://anypoint.mulesoft.com/accounts/login/receive-id and the 'entityID' or 'Audience URL' is any string value that identifies your organization. By convention it is <organizationDomain>.anypoint.mulesoft.com, but any value is acceptable.
- 6. Instructions for SAML Configuration • The instructions in this document allow you to configure your Anypoint Platform organization with any of the supported SAML 2.0 providers for SSO. • To configure federated identity: • Configure your SAML provider to set up your Anypoint Platform organization as your audience. • Set the Assertion Consumer Service to send an HTTP POST request to the following address: https://anypoint.mulesoft.com/accounts/login/receive-id • Log in with an administrator account into your Anypoint organization, click on the gear icon in the Nav bar which will take you to the Access Manager user interface , and select External Identity. If you haven’t set anything yet, you should see a screen like this • Click the link for "If you would like to configure single sign on with a SAML 2.0 provider you can get started here" and then provide the necessary data in the SAML 2.0 form to set up your Anypoint organization for SSO
- 7. Federated Organizations - Map Users to Anypoint Platform Roles • As of November 2014, Anypoint Platform provides a feature to help you map users in a federated organization’s LDAP group to an Anypoint Role. • This requires that your Anypoint Platform organization utilizes an external identity provider such as PingFederate. • This feature enables users in an organization to sign in to Anypoint Platform using the same organizational credentials and access permissions that an organization maintains using LDAP. • This ensures credential security and maintains organizational roles for accessing privileged information. • To support this feature you first need to configure an external identity following any of the methods described above, and then follow the two steps described below: • Verify SAML Information • The SAML assertion is an XML file that is issued by the external identity provider. • Log into Anypoint Platform and click the External Identity tab to verify your organization’s Identity management information.
- 8. Client Management • Client Management allows any client connecting to your application to identify itself using OAuth 2.0. • An OAuth client application interacts with the provider´s authorization server to obtain access tokens needed to call OAuth- protected services at the Anypoint Platform´s resource server. • The only OAuth 2.0 supported IdPs that work with Anypoint Platform are openAM and Ping Federate
- 9. openAM • If you want to use openAM for client management and if you’re not using Anypoint Platform on premises, you need to request that your account be configured in that way, as you can’t set this up manually. • Work with your MuleSoft account representative to ensure that we are aware of your needs for configuring your organization with PingFederate. • Complete the OpenAM form and MuleSoft will get back to you within 48 hours with either the completion of the configuration or follow-up questions to complete the configuration.
- 10. Ping Federate • If you want to use Ping Federate for client management and if you’re not using Anypoint Platform on premises, you need to request that your account be configured in that way, as you can’t set this up manually. • Work with your MuleSoft account representative to ensure that we are aware of your needs for configuring your organization with PingFederate. • Complete the Ping Federate Form. After you complete this form, MuleSoft gets back to you within 48 hours with either the completion of the configuration or follow-up questions to complete the configuration.
- 11. Single Log Out • Single log out is important so that a user or user agent can log out of an authenticated environment and ensure that both service providers and identity servers process the log out correctly. • To configure single log out: • In PingFederate, click the SP Configuration for the Anypoint Platform. • Go to Browser SSO and click Configure Browser SSO. • Under SAML Profiles, ensure that these are set: • IdP-Initiated SSO • IdP-Initiated SLO • SP-Initiated SLO • Go to Protocol Settings and click Configure Protocol Settings. • Configure a SLO Service Url with the following:
- 12. • Under Allowable SAML Bindings, click Redirect. • Under Encryption Policy, make certain that nothing is encrypted. • Save and click Done out of Protocol Settings and Browser SSO. • When viewing the SP Configuration for Anypoint Platform, go to Credentials, and click Configure Credentials. • Under Signature Verification Settings, click Manage Signature Verification Settings. Set the Trust Model to Unanchored, and import the attached certificate. Make it the active certificate.