Author: Ashutosh Kumar
Objective:
Configure SAML to provide external authentication of users and Single Sign On (SSO) capability so users don’t need to provide additional credentials when they access the Anypoint Platform.
Configuring SAML for SSO involves:
- Beginning with a configured SAML identity provider (IdP)
- Navigating to and completing the External Identity – Identity Management SAML 2.0 form in Anypoint Platform, and optionally configuring some advanced settings
- Saving and testing your new configuration
Configuration of OKTA SAML 2.0 for MuleSoft – Anypoint Platform is divided into two parts :
- Authentication
- Authorization
Prerequisites:
- Your Anypoint Platform organization must be set up as your audience.
- OKTA Developer Account.
Authentication:
Step 1: Login into https://anypoint.mulesoft.com using the admin account, go to Access Management -> Organization, copy Organization Domain, Organization Id, and Client Id, and keep it handy.
Step 2: Go to Okta developer account-> Applications (on the left hand side bar) -> Create App Integration -> select SAML 2.0
Step 3: Set application name accordingly eg: App Name = CSOD-OKTA-SSO-APP. Click Next.
Step 4: Provide “Single sign-on URL” as https://anypoint.mulesoft.com/accounts/login/OrganizationDomain/providers/Provider-id/receive-id as interim URL and replace OrganizationDomain in the URL with the Org-Domain copied in Step 1, and provide the Organization-Id copied in Step 1 in the “Audience URI (SP Entity ID)” as “Organization-Id”.anypoint.mulesoft.com (eg: 4XXXXXXX-6XXX-4XXX-aXXX-3XXXXXXXXXXX.anypoint.mulesoft.com).
Step 5: Scroll down to the bottom and set attribute statements based on which it will authenticate the user. Set attributes as “firstname”, “lastname”, and “email” and select user.firstname, the user.lastname, and user.email respectively from the drop-down menu skip the Group option for now as later it will be used to set authorization for users. Scroll down and click Next.
Step 6: Select “I’m a software vendor. I’d like to integrate my app with Okta” and Click Finish.
Step 7: Go to your application “CSOD-OKTA-SSO-APP” -> Sign On tab (scroll down) -> View SAML Setup Instructions on the right-hand side of the page.
The following page will open, keep these details handy as it will be required to set up SAML 2.0 from Anypoint Platform Side.
Step 8: Go to your Anypoint Platform -> Access Management -> Identity Provider -> Click on Add Identity Provider -> Select SAML 2.0.
Step 9: Provide the following on the AnyPoint page from the SAML Setup Instruction Page.
- Name: CSOD-OKTA-SAML 2.0 (Accordingly as per the organization naming standard)
- Sign Off URL: https://anypoint.mulesoft.com
- Sign On URL: Copy it from the SAML Setup Instruction page kept handy earlier. I.e. “Identity Provider Single Sign-On URL”
- Issuer: Copy and paste “Identity Provider Issuer” from the SAML Setup Instruction page.
- Public Key: Copy and paste “X.509 Certificate” from the SAML Setup Instruction page.
- Audience: “Organization-Id”.anypoint.mulesoft.com (eg: here it is 4XXXXXXX-6XXX-4XXX-aXXX-3XXXXXXXXXXX.anypoint.mulesoft.com)
Note: Group attributes are added later when it comes to giving roles and authorization.
Save the changes.
Step 10: Update the interim Single Sign-On URL on the OKTA application Settings.
- Once SAML Identity Provider “CSOD-OKTA-SAML 2.0” is created, open it and copy Assertion Consumer Service (ACS) URL.
- Go to OKTA Application “CSOD-OKTA-SSO-APP” -> General -> Scroll down and select SAML Settings Edit.
Paste the copied Assertion Consumer Service URL in the OKTA Single Sign On URL and save it.
Step 11: Go to OKTA developer Dashboard -> Applications -> select OKTA application created earlier i.e. CSOD-OKTA-SSO-APP -> Select Assignments -> Select Assign to Groups -> Click “Assign” for “Everyone” -> Done.
Step 12: Now log out from the Anypoint Platform and use “https://anypoint.mulesoft.com/login/domain/org-domain” link to log in. E.g. here link is https://anypoint.mulesoft.com/login/domain/apisero-inc-34 and click on the Okta Identity Provider app created earlier in the Anypoint Platform i.e. “Continue with CSOD-OKTA-SAML 2.0”.
It will redirect the user to the Anypoint Platform Home Page as given below:
But the user will not have access to view anything as the role of the user group is not decided yet. For example, the user cannot view the Anypoint Runtime Manager for the Sandbox environment as given below:
Authorization:
Step 1: Go to OKTA DashBoard -> Directory -> Groups -> Add Group -> Give the name of the Group as per Organization’s naming standard. Here we have given it as “CSOD MuleSoft Developers”-> Click Save. Refresh the page to see the added new group.
Step 2: Open the group created in Step 1 -> go to people -> Click on “Assign People” -> Select all the developers and assign them to this group -> Click Done at the top.
Step 3: Login into https://anypoint.mulesoft.com using your admin account -> Go to Access Management -> Roles -> Select Cloudhub Admin (Sandbox) -> Select “Set External Group Mapping” -> Set Group name as created in Step 1 i.e. CSOD MuleSoft Developers and select Identity Provider as CSOD-OKTA-SAML 2.0 and click Add -> Click Save as shown below
Step 4: Now we may have to set up the group attributes in the identity provider application. Go to Anypoint Platform -> Access Management -> Identity Providers -> Click on CSOD-OKTA-SAML 2.0 application -> Scroll Down and expand Advance settings -> Under the group attributes write “group” -> Click “Save Changes”. Similarly, you can use other features like firstname, lastname, username, and email.
Step 5: Now go to OKTA Dashboard -> Applications -> Select CSOD-OKTA-SSO-APP (created earlier) -> General -> Scroll Down and Select edit on “SAML Settings” -> Click next and go to “Configure SAML” tab -> Scroll down to “Group Attribute Statements” and fill the following.
- Name: Group
- Filter: Select “Matches Regex” from the drop-down menu
- Set Filter in the Blank Space: .*
-> Scroll down and click Next -> Finish. As shown below.
Step 6: Again, log out from the Anypoint Platform and log in via the domain URL as done in “Authentication Step 12”-> Select the respected OKTA App created earlier i.e. here CSOD-OKTA-SAML 2.0 -> go to Anypoint Platform Runtime Manager -> Now it will show “Sandbox” environment for selection -> Select it.
Similarly, administrators may add different roles to different groups and people as per their need.