MuleSoft Technical Guides
Anypoint SSO with OpenID
Anypoint Platform is a cloud-based integration platform that enables organizations to connect applications, data, and devices. With its built-in security features, Anypoint Platform offers Single Sign-On (SSO) to help organizations streamline user authentication and access control.
In this blog, we will discuss Anypoint SSO and how to implement it.
What is Anypoint SSO?
Anypoint Single Sign-On (SSO) is a feature offered by Mulesoft’s Anypoint Platform that allows users to authenticate and access multiple applications with a single set of credentials.
SSO is a powerful tool for improving security, streamlining the user experience, and reducing administrative overhead. With SSO, users only need to remember one set of login information, which can be used to access multiple applications without having to re-enter their credentials each time.
One of the key benefits of Anypoint SSO is its ability to integrate with a wide range of identity providers, including popular ones such as Okta, Ping, and ADFS. This allows organizations to leverage their existing identity infrastructure and avoid the need to build and maintain a separate authentication system.
Another benefit of Anypoint SSO is its support for two-factor authentication (2FA). This provides an additional layer of security by requiring users to provide a second form of authentication, such as a fingerprint or a one-time code sent to their mobile phone, in addition to their password.
In addition, Anypoint SSO also supports SAML-based SSO, which allows an user to authenticate to an application through an identity provider such as Okta, OneLogin, and ADFS. SAML is an industry standard for SSO and is supported by many popular SaaS applications.
Overall, Anypoint SSO is a valuable tool for organizations looking to improve security and user experience while reducing administrative overhead. Its ability to integrate with a wide range of identity providers and support for 2FA and SAML make it a versatile and effective solution for managing authentication across multiple applications.
How to Implement Anypoint SSO?
Implementing Anypoint Single Sign-On (SSO) is a straightforward process that can be broken down into a few key steps:
1. Set up an identity provider: The first step in implementing Anypoint SSO is to set up an identity provider (IdP). This can be an existing IdP that your organization is already using, or you can set up a new one using a service such as Okta, Ping, or ADFS.
2. Configure the identity provider: Once you have set up an IdP, you will need to configure it to work with Anypoint SSO. This typically involves creating a new application within the IdP and configuring it with the necessary details, such as the Single Sign-On URL and the Assertion Consumer Service URL.
3. Configure Anypoint SSO: Next, you will need to configure Anypoint SSO to work with your IdP. This involves setting up a new SSO configuration within Anypoint Platform and providing the necessary details, such as the IdP’s metadata URL and the application’s client ID and secret.
4. Enable SSO for your applications: After configuring Anypoint SSO, you can enable SSO for your applications by editing the security settings for each application. This typically involves configuring the application to use the SSO configuration you created earlier and specifying which users or groups should be able to access the application.
5. Test and deploy: After completing the above steps, you should test your SSO configuration to ensure it is working correctly. Once you are satisfied that everything is working as expected, you can deploy the SSO configuration to your production environment
Overall, implementing Anypoint SSO is a relatively simple process that can be completed in a few hours or days depending on the complexity of your organization’s infrastructure and the number of applications you are looking to enable SSO for.
We’ll discuss each step in detail below.
Step 1: Set up an Identity Provider
To use Anypoint SSO, you need to have an Identity Provider (IdP). An IdP is a trusted system that stores and manages user identities. Anypoint Platform supports several IdPs, including Okta, Ping Identity, Microsoft Azure AD, and others.
In these Steps we will work by using Ping as IdP and use OpenID.
Step 2: Set up an Ping Account
Go to the Ping website and create an account.
Step 3: Configure Anypoint Platform for SSO
1. Log in to your Anypoint Platform account.
2. Go to the “Access Management” menu and select “Identity Providers.”
3. Click on the “Add Identity Provider” button.
4. Select “OpenID Connect”.
5. Go to your Ping Account and select Application from the Side Menu.
6. Click on “+” Icon and Enter App Name and Select “OIDC Web APP as Type”
7. Click on Save.
8. Go to Configuration Tab and you will find all required URLs.
9. Go back to Anypoint Platform and Fill in all the details.
10. Click on “Save”.
11. Open your IdP and Copy the redirect URL.
12. Go to your Ping APP , update the URL and set Grant Type to Client Credentials.
13. Enter your Initiate Login URI and Sign Off URI (you can find this in Identity Providers Tab in anypoint platform)
14. Click on Save.
15. Turn you Application ON.
Step 4: Test Your SSO Configuration
After you’ve configured Anypoint Platform for SSO, you should test your configuration to make sure it’s working correctly.
To test your Okta SSO configuration, you can:
1. Log out of Anypoint Platform.
2. Open the Single Sign On URL
3. Click on Continue with <Application Name>
4. Login with your Ping Credentials.
5. You should be redirected to Anypoint Platform and logged in automatically.
If everything works correctly, you should be able to log in to Anypoint Platform using your Okta credentials.
Step 5: Manage Your SSO Configuration
Once you’ve set up and tested your SSO configuration, you’ll need to manage it to ensure it continues to work correctly.
1. You can create groups in Ping that can provide a certain amount of Access.
a. On your Dashboard Click on Identities and Select Groups.
b. Click on “+” and provide Name and Description.
c. Assign Users to the Group.
d. Log In to your parent Account in Anypoint Platform.
e. Go to Access Management and Select the “Roles”
f. Select your Desired role and select “Set External Group Mapping”.
g. Click on “Add” and “Save”.
h. Go to Identity Providers, Select your APP and in Advanced Settings Update the Group Scope and Group Attribute JSONata Expression.
i. Go to your Ping App and in Access tab update the Group Membership Policy
j. The User in the group will now have the access depending on the roles assigned.
That’s it! By following these steps, you can successfully implement Anypoint SSO using Ping as the Identity Provider.
Conclusion
Anypoint SSO is a powerful feature that enables organizations to streamline user authentication and access control. By using Anypoint SSO, organizations can provide a seamless user experience and increase security by reducing the risk of user password fatigue.
Explore more MuleSoft Technical guides on Caelius Consulting Resource Centre.