How to Secure Anypoint Platform with SAML 2.0 with Azure AD

How to Secure Anypoint Platform with SAML 2.0 with Azure AD

In this tutorial, we will demonstrate step by step guide to setup Anypoint Platform as Azure AD Service Provider (SP).

As a Anypoint Platform Admin, you will need to configure identity management in Anypoint Platform to set up users for single sign-on (SSO) to protect unauthorized access to Anypoint Platform.

external-identity
Source: MuleSoft

Azure AD Configuration

Step 1: Open your Azure Portal and Navigate to Azure Active Directory.

Step 2: Inside the Azure Active Directory, click on Enterprise Applications -> All Applications then create new application.

create-new-app-azure

Step 3: From the add application screen click on Create your own application and name the the application. Also make sure to select as (Non-gallery) application.

create-anypoint-platform-app

Step 4: Click on your newly created enterprise application and head over to Setup single sign on.

setup-sso-azure

Step 5: You will be redirected to Set up Single Sign-On with SAML page. In that page configure as follows:

Basic SAML Configuration:

  • Identifier (Entity ID) : <<org-domain-name>>.anypoint.mulesoft.com
  • Reply URL (Assertion Consumer Service URL) : https://anypoint.mulesoft.com/accounts/login/org-domain/providers/providerId/receive-id (This details you can get it from  SAML Identity Provider settings in your Anypoint account). For now copy and paste the same URL. We will modify later.
basic-config

We will replace the providerId later as we will get the providerId only after creating the identity provider in Anypoint Platform.

User Attributes & Claims: You can either customize or leave the default values.

user-attributes

SAML Signing Certificate: Download the Federation Metadata XML which we will use while configuring the Identity provider in Anypoint Platform.

Step 6: Add a user to this Anypoint Platform application. To add a user, under Application page, navigate to Users and groups and click on Add user/group.

add-users

Now select the users you want to access this Application (Basically the Anypoint Platform) and assign to Application.

Don’t worry about the roles as she/he won’t be having any Anypoint Platform roles.

add-users-azure-app

Mine is a free trail account so I do have limited access to certain features.

Anypoint Platform Configuration

Step 1: Login to your Anypoint Platform account and navigate to Access Management.

Step 2: In the Access Management menu, click on Identity Providers and then SAML 2.0.

identity-providers

Step 3: In the next page, upload the XML file that you downloaded in the previous section. As soon as you upload the file, few fields will be populated automatically.

saml-config-1

Sign On URL, Sign Off URL, Issuer and Public Key values are auto populated based on your XML file.

You will need to configure the remaining fields manually as follows,

  • Audience : This string we have already configured in the Basic configuration section above. In your case, its <<org-domain-name>>.anypoint.mulesoft.com.
  • Single Sign-On Initiation : By default its both.
audience

Expand Advanced Settings, and fill out the following fields.

You can also obtain these values from User Attributes & Claims section from your Enterprise application configuration.

The Email Attribute is mandatory otherwise you won’t able to access the Anypoint Platform.

attributes

Save the changes and wait, we are yet to update the Reply URL (Assertion Consumer Service URL) as we created a placeholder for providerId.

To obtain the Reply URL (Assertion Consumer Service URL), click in Edit (SAML2.0) and there you will see the URL.

service-url

Replace the old URL with this new URL in the Application SSO Basic configuration as follows,

saml-basic-config

That’s simple. Now you can try to login from your identity provider.

Open the https://myapplications.microsoft.com and verify whether the Anypoint Platform app is accessible or not.

myapps-azure

Damn! How come Mule logo came here. You can add any logo you wish in the Application properties section.

Step 3: Click on the Anypoint Platform application and it should automatically login you to Anypoint Platform account with Zero roles.

platform-profile

Congrats! Now you have successfully secured your Anypoint Platform. Now users can login to their Azure accounts and directly access Anypoint platform with single click.

We hope this tutorial helped you to understand and setup Azure AD Service Provider as your Anypoint Platform Identity Provide.

In the next tutorial, we will see how to Map users to Roles in Azure AD Groups. Meanwhile, if you face any issues, please do let us know in the comment section.

Please do share it with your friends and don’t forget to follow us on FacebookTwitter and LinkedIn. Visit our MuleSoft Hub for more tutorials and updates.

In this tutorial, we will demonstrate step by step guide to setup Anypoint Platform as Azure AD Service Provider (SP).

As a Anypoint Platform Admin, you will need to configure identity management in Anypoint Platform to set up users for single sign-on (SSO) to protect unauthorized access to Anypoint Platform.

external-identity
Source: MuleSoft

Azure AD Configuration

Step 1: Open your Azure Portal and Navigate to Azure Active Directory.

Step 2: Inside the Azure Active Directory, click on Enterprise Applications -> All Applications then create new application.

create-new-app-azure

Step 3: From the add application screen click on Create your own application and name the the application. Also make sure to select as (Non-gallery) application.

create-anypoint-platform-app

Step 4: Click on your newly created enterprise application and head over to Setup single sign on.

setup-sso-azure

Step 5: You will be redirected to Set up Single Sign-On with SAML page. In that page configure as follows:

Basic SAML Configuration:

  • Identifier (Entity ID) : <<org-domain-name>>.anypoint.mulesoft.com
  • Reply URL (Assertion Consumer Service URL) : https://anypoint.mulesoft.com/accounts/login/org-domain/providers/providerId/receive-id (This details you can get it from  SAML Identity Provider settings in your Anypoint account). For now copy and paste the same URL. We will modify later.
basic-config

We will replace the providerId later as we will get the providerId only after creating the identity provider in Anypoint Platform.

User Attributes & Claims: You can either customize or leave the default values.

user-attributes

SAML Signing Certificate: Download the Federation Metadata XML which we will use while configuring the Identity provider in Anypoint Platform.

Step 6: Add a user to this Anypoint Platform application. To add a user, under Application page, navigate to Users and groups and click on Add user/group.

add-users

Now select the users you want to access this Application (Basically the Anypoint Platform) and assign to Application.

Don’t worry about the roles as she/he won’t be having any Anypoint Platform roles.

add-users-azure-app

Mine is a free trail account so I do have limited access to certain features.

Anypoint Platform Configuration

Step 1: Login to your Anypoint Platform account and navigate to Access Management.

Step 2: In the Access Management menu, click on Identity Providers and then SAML 2.0.

identity-providers

Step 3: In the next page, upload the XML file that you downloaded in the previous section. As soon as you upload the file, few fields will be populated automatically.

saml-config-1

Sign On URL, Sign Off URL, Issuer and Public Key values are auto populated based on your XML file.

You will need to configure the remaining fields manually as follows,

  • Audience : This string we have already configured in the Basic configuration section above. In your case, its <<org-domain-name>>.anypoint.mulesoft.com.
  • Single Sign-On Initiation : By default its both.
audience

Expand Advanced Settings, and fill out the following fields.

You can also obtain these values from User Attributes & Claims section from your Enterprise application configuration.

The Email Attribute is mandatory otherwise you won’t able to access the Anypoint Platform.

attributes

Save the changes and wait, we are yet to update the Reply URL (Assertion Consumer Service URL) as we created a placeholder for providerId.

To obtain the Reply URL (Assertion Consumer Service URL), click in Edit (SAML2.0) and there you will see the URL.

service-url

Replace the old URL with this new URL in the Application SSO Basic configuration as follows,

saml-basic-config

That’s simple. Now you can try to login from your identity provider.

Open the https://myapplications.microsoft.com and verify whether the Anypoint Platform app is accessible or not.

myapps-azure

Damn! How come Mule logo came here. You can add any logo you wish in the Application properties section.

Step 3: Click on the Anypoint Platform application and it should automatically login you to Anypoint Platform account with Zero roles.

platform-profile

Congrats! Now you have successfully secured your Anypoint Platform. Now users can login to their Azure accounts and directly access Anypoint platform with single click.

We hope this tutorial helped you to understand and setup Azure AD Service Provider as your Anypoint Platform Identity Provide.

In the next tutorial, we will see how to Map users to Roles in Azure AD Groups. Meanwhile, if you face any issues, please do let us know in the comment section.

Please do share it with your friends and don’t forget to follow us on FacebookTwitter and LinkedIn. Visit our MuleSoft Hub for more tutorials and updates.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related Articles

How to Create Multiple Folders at Once in Windows 10

Creating folders and subfolders manually is time consuming tasks...

How to Integrate Solace with MuleSoft using JMS API

In this tutorial, we will demonstrate step by step...

How to Open Port on AWS EC2 Instance

In this tutorial, we will demonstrate step by step...

LEAVE A REPLY

Please enter your comment!
Please enter your name here