Author: Ashish Jain
Configuring AnyPoint Platform as an Azure AD Service Provider (SP) via SSO
Problem Statement:
Configure Anypoint Platform to use Azure AD as an external identity provider (IDP), including –
- Single Sign-on (SSO)
- The mapping of Azure AD groups to Anypoint Platform roles and role groups
Solution:
Pre-Requisites:
- An Azure AD account
- An Anypoint Platform Account
Azure AD Configuration:
Step 1: Open your Azure Portal and navigate to Azure Active Directory.
Step 2: Inside Azure Active Directory click on Enterprise applications, under the left Manage menu. Select “+ New Application” and then select “+ create your own application”.
Step 3: From the add application screen on right hand side Give it an identifying name and select the option “Integrate any other application you don’t find in the gallery (Non-gallery)” and click “create”.
Step 4: From the newly created application, head over to Single Sign on and then select SAML as a Single sign on method.
Step 5: From the “Set up Single Sign-On with SAML” Screen, configure the settings:
- Click on Edit in the “Basic SAML configuration” card.
- Fill in the required details as below table.
Step 6: Capture the User Access URL from Properties Tab. It will be used in Any Point platform Configuration.
Step 7: Gather all required information from the “User Attributes and Claims” card. This information will be provided to the Anypoint platform to identify the user. You can also edit this information and capture using the “Edit” on this card.
Within User Attributes & Claims, an initial set of attributes are listed, with default values are provided for each property. The attributes and claims listed here appear in the SAML 2.0 token which is sent to Anypoint Platform. The initial attributes can be changed, and new ones added or removed, as required by your organization. The SAML 2.0 IdP configuration within Anypoint Platform allows claims to be specified for the following attributes –
- Username (defaults to NameID if no value is provided)
- First Name
- Last Name
- Group (Anypoint Platform expects the claim specified here to list the user’s group memberships)
Capture the details/links like “Unique User Identifier (Name ID), user.givenname, user.userprincipalname, user.surname, user.emailaddress ”.
Note: that by default, there is no claim specified in User Attributes & Claims for stating the user’s group memberships. If you intend to map Azure AD groups to platform roles and role groups as described above, a claim must be added here. This has the effect of groups to which the user belongs in the SAML token generated by Azure AD and sent to Anypoint Platform. Add a Group claim by following these steps –
- Click on the pencil icon to edit the User Attributes & Claims.
- Select add a group claim.
- Select the option to return either All groups or Groups assigned to the application in the claim (select the most appropriate of these two options for your organization)
- Select Group ID as the source attribute.
- Click Save.
- Click the Close (X) icon to return to the SAML-based Sign-on screen. Verify that there is a claim called Group listed in the User Attributes & Claims section.
Step 8: Download the Metadata XML from the “SAML Signing Certificate” card. This XML can be directly uploaded to the Anypoint Platform.
Anypoint Platform Configuration:
Step 1: Log in to Anypoint Platform, select Access management and go to “Identity Providers”. Select “SAML 2.0” from the dropdown.
Step 2: Upload the Metadata XML downloaded from Azure AD setup into “Import IdP Metadata”. You will see the metadata is populated automatically. Now we need to change and fill few fields.
Step 3: Configure the details corresponding to the below table.
Test the Configuration:
Save changes and test the settings. The following approaches can be used to test –
- Use the test feature from within the Enterprise app in Azure Portal.
- Access the User access URL (starts with https://myapps.microsoft.com/…). This is the URL obtained from the Enterprise application’s properties in the section above.
- Access https://anypoint.mulesoft.com/accounts/login/ where is the Organization domain as stated in your Anypoint Platform organization record (visible from within Access Management). Example: https://anypoint.mulesoft.com/accounts/login/my-example-org
Creating groups and mapping roles:
- Create a group in Azure Ad Users and Groups tab.
- Add new Claim as groups and give the group name.
- Create a Role in the Anypoint platform.
- Go inside the Role and click on External Group mapping and add the group created from Azure AD.
- Add the group to the Identity Provider tab in the Anypoint platform.
- Test the setting and you are good to go.