Author: Pankuri Bansal & Nikhil Kumar
- The MuleSoft Anypoint Platform offers robust support for Single Sign-On (SSO) and Identity Management by seamlessly integrating with popular external identity providers like Okta, PingFederate, and OpenAM.
- This ensures a secure and streamlined authentication process for users, enhancing overall system efficiency and user experience.
- In this document, we will explore the process of setting up Identity Management for the MuleSoft Anypoint Platform utilizing Okta OpenID Connect. By implementing this solution, you can ensure seamless and secure access to your organization’s resources, enhancing both efficiency and data protection.
Pre-Requisites:
The following are the prerequisites for integrating the MuleSoft Platform with Okta
- Gain the necessary access permissions to create applications and manage administrative tasks in Okta with ease.
- Organizational administration permissions in Anypoint Platform.
What is Okta?
- If you are involved in API development or management, it is highly likely that you rely on an API gateway for seamless organization.
- To ensure the security of your API through the gateway, it is advisable to utilize OAuth and implement an identity provider (IdP) such as Okta. This combination guarantees a robust and protected environment for your API operations.
- The Okta + MuleSoft integration offers a comprehensive Single Sign-On (SSO) solution.
- With this unified solution, you can easily manage access based on user profiles, groups, networks, clients, and consent. Additionally, provisioning API access is as swift as granting application access.
What is OIDC?
- OpenID Connect (OIDC) is a trusted authentication solution that enhances the security of applications. By building on top of the OAuth 2.0 authorization protocol, OIDC offers scoped access tokens for secure data transfer.
- In addition, OIDC also provides convenient user authentication and seamless single sign-on (SSO) functionality, making it an ideal choice for protecting your users’ information and streamlining their login experience.
- When it comes to the OIDC workflow, Okta can seamlessly play two different roles: as the Identity Provider (IdP) or as the Service Provider (SP).
- This versatility allows you to adapt Okta to your specific use case and ensure a smooth authentication experience.
Difference Between Okta and Oauth
- With Okta, you can easily authorize users to access a wide range of APIs and web services. This powerful tool ensures secure and seamless authentication, giving users the necessary permissions to utilize various resources without any hassle.
- OpenID Connect (OIDC) serves a crucial purpose in web applications by authenticating users, ensuring the security and trustworthiness of their access.
- On the other hand, OAuth 2.0 grants user authorization for API usage, allowing seamless integration with external services while maintaining control over data access.
Setup Configurations in Okta
- Begin your journey with Okta by creating an account.
This is the first step towards accessing a wide range of powerful features and functionalities.
Login/Signup Link: https://developer.okta.com/signup
- Now, please activate your account and log in.
Authorization Server
- Create an Authorization Server in Okta from Security → API
- Fill in the Authorization Server details as follows. By default, there would be a server present that you can use as well.
- Click on the application to open it.
- Click on the Metadata URI, and it should look like below:
- Note the issuer, authorization_endpoint, and token_endpoint. You will also need the userinfo endpoint, which can be found from the following metadata URI. Note down the userinfo_endpoint.
https://dev-4124393.okta.com/oauth2/default/v1/userinfo
Please ensure to replace the Okta domain e.g. apiserotest-sec-com with the correct production Okta domain.
Application
- Create the Application from Applications → Applications Menu as follows.
- Click on Applications → Create App Integration → Choose OIDC – OpenID Connect option → Choose Web Application option → Next.
- Then provide the app integration name (any random name or as per your use case).
- Exclude the Sign-out redirect URIs option and keep other things the same as the default.
- In the Assignment section, you can provide the access control according to your requirements.
- Click on save.
- Note down the Client ID and Client secret for later use.
Configurations in Anypoint Platform
- Open Access Management in Anypoint Platform and click on Identity Providers.
- From the dropdown, select the OpenID Connect option.
- Provide a name according to your use case in the Name section.
- Then choose the manual registration option and provide the client ID and client secret that was noted earlier from Okta.
- Then provide the issuer, token, and authorize URL as noted in the earlier step from the metadata.
- For the user info URL, use this https://dev-4124393.okta.com/oauth2/default/v1/userinfo, but please ensure to replace the Okta domain (e.g., dev-4124393.okta.com) with the correct production Okta domain of your account.
- Then save the changes.
- Open the identity provider you created.
- Then copy the below redirect URI from the Identity Client Registration part as mentioned below.
- Open your okta account → Applications → choose your application → select General tab → General Settings → Edit → Sign-in redirect URIs
- Paste the above copied redirect URI link from the platform (Identity Client Registration).
Accessing the Anypoint Platform
- Logout of the old session and login using the below URL https://anypoint.mulesoft.com/login/domain/ {Domain Name} e.g. https://anypoint.mulesoft.com/login/domain/apisero-4502
- This should redirect you to Okta, and you can log in with Okta credentials to get access to Anypoint Platform.
References:
- https://mulesy.com/sso-using-okta-openid-in-anypoint-platform/