In this tutorial, we will demonstrate step by step guide to setup Anypoint Platform as Azure AD Service Provider (SP).
As a Anypoint Platform Admin, you will need to configure identity management in Anypoint Platform to set up users for single sign-on (SSO) to protect unauthorized access to Anypoint Platform.
Azure AD Configuration
Step 1: Open your Azure Portal and Navigate to Azure Active Directory.
Step 2: Inside the Azure Active Directory, click on Enterprise Applications -> All Applications then create new application.
Step 3: From the add application screen click on Create your own application and name the the application. Also make sure to select as (Non-gallery) application.
Step 4: Click on your newly created enterprise application and head over to Setup single sign on.
Step 5: You will be redirected to Set up Single Sign-On with SAML page. In that page configure as follows:
Basic SAML Configuration:
- Identifier (Entity ID) : <<org-domain-name>>.anypoint.mulesoft.com
- Reply URL (Assertion Consumer Service URL) : https://anypoint.mulesoft.com/accounts/login/org-domain/providers/providerId/receive-id (This details you can get it from SAML Identity Provider settings in your Anypoint account). For now copy and paste the same URL. We will modify later.
We will replace the providerId later as we will get the providerId only after creating the identity provider in Anypoint Platform.
User Attributes & Claims: You can either customize or leave the default values.
SAML Signing Certificate: Download the Federation Metadata XML which we will use while configuring the Identity provider in Anypoint Platform.
Step 6: Add a user to this Anypoint Platform application. To add a user, under Application page, navigate to Users and groups and click on Add user/group.
Now select the users you want to access this Application (Basically the Anypoint Platform) and assign to Application.
Don’t worry about the roles as she/he won’t be having any Anypoint Platform roles.
Mine is a free trail account so I do have limited access to certain features.
Anypoint Platform Configuration
Step 1: Login to your Anypoint Platform account and navigate to Access Management.
Step 2: In the Access Management menu, click on Identity Providers and then SAML 2.0.
Step 3: In the next page, upload the XML file that you downloaded in the previous section. As soon as you upload the file, few fields will be populated automatically.
Sign On URL, Sign Off URL, Issuer and Public Key values are auto populated based on your XML file.
You will need to configure the remaining fields manually as follows,
- Audience : This string we have already configured in the Basic configuration section above. In your case, its <<org-domain-name>>.anypoint.mulesoft.com.
- Single Sign-On Initiation : By default its both.
Expand Advanced Settings, and fill out the following fields.
- Username Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
- First Name Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- Last Name Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- Email Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- Group Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/groups
You can also obtain these values from User Attributes & Claims section from your Enterprise application configuration.
The Email Attribute is mandatory otherwise you won’t able to access the Anypoint Platform.
Save the changes and wait, we are yet to update the Reply URL (Assertion Consumer Service URL) as we created a placeholder for providerId.
To obtain the Reply URL (Assertion Consumer Service URL), click in Edit (SAML2.0) and there you will see the URL.
Replace the old URL with this new URL in the Application SSO Basic configuration as follows,
That’s simple. Now you can try to login from your identity provider.
Open the https://myapplications.microsoft.com and verify whether the Anypoint Platform app is accessible or not.
Damn! How come Mule logo came here. You can add any logo you wish in the Application properties section.
Step 3: Click on the Anypoint Platform application and it should automatically login you to Anypoint Platform account with Zero roles.
Congrats! Now you have successfully secured your Anypoint Platform. Now users can login to their Azure accounts and directly access Anypoint platform with single click.
We hope this tutorial helped you to understand and setup Azure AD Service Provider as your Anypoint Platform Identity Provide.
In the next tutorial, we will see how to Map users to Roles in Azure AD Groups. Meanwhile, if you face any issues, please do let us know in the comment section.