How to Configure SAML 2.0 for MuleSoft - Anypoint Platform

Contents

• Supported Features
• Configuration Steps
• Notes

---

Supported Features

The Okta/Mulesoft - Anypoint Platform SAML integration currently supports the following features:

• SP-initiated SSO
• IdP-initiated SSO
• JIT (Just In Time) Provisioning

For more information on the listed features, visit the Okta Glossary.

---

Configuration Steps

1. Log in to your MuleSoft – Anypoint Platform account as an administrator.

2. Go to Management Center > Access Management:

3. Select Identity Providers from the left nav, then select SAML 2.0 from the Identity Providers drop-down menu.

4. Follow the steps below:

   1. Name: Enter a display name you'd like your users to see. For example: Okta.

   2. Import IdP Metadata: Save the following as okta.xml then click Choose File to upload it:

      Sign into the Okta Admin dashboard to generate this value.

   3. Sign Off URL: Enter the URL you'd like your users to be redirected to. For example: Your Okta homepage:

      Sign into the Okta Admin Dashboard to generate this variable.

   4. Audience: Enter your MuleSoft – Anypoint Organization domain.

   • This takes the format of [Organization_Domain].anypoint.mulesoft.com

   • Your Organization domain can be found by clicking Profile in the upper right of your Anypoint Access Management portal.

   • For example: If your Organization domain is acme; enter acme.anypoint.mulesoft.com

   

   5. Single Sign-On Initiation: Specify whether SSO can be initiated by the Anypoint Platform, your identity provider (for example: Okta) or both.

   6. Group Attribute (OPTIONAL): Enter groups to enable automated Group-Role management.

   7. Click Create.

   8. Click on the newly created Identity Provider.

   • At the end of the Assertion Consumer Service (ACS) URL line, click the button to Copy the ACS URL value.

5. In Okta, select the Sign On tab for the Mulesoft - Anypoint Platform SAML app, then click Edit.

   • Select your Email attribute value.

   • ACS URL: Enter the value you copied in step 4h.

   • Click Save.

6. Done!

---

Notes

• Your Organization Domain (value from step 4d) must be correctly entered in the appropriate field on the General tab in Okta or SSO may fail.




• The following SAML attributes are supported:

  Name	Value
  email	user.email OR user.userName
  firstname	user.firstName
  lastname	user.lastName
  groups	This is configured in the app UI; see Automatic MuleSoft Group Assignment – Optional section below.

SP-initiated SSO

1. Go to https://anypoint.mulesoft.com

2. Click Custom Domain.

3. Enter your Organization Domain as defined in step 4d.

4. Click Continue with Okta (or the Display Name chosen in step 4a.

Alternatively, you can go directly to https://anypoint.mulesoft.com/login/domain/[customDomain] and click Continue with Okta.

Automatic MuleSoft Group Assignment – Optional

MuleSoft supports sending user group information through the SAML assertion to assign users to corresponding Roles in MuleSoft. To take advantage of this functionality, users that you add to your MuleSoft application must belong to a group.

1. In the Okta Dashboard, select Directory > Groups, as shown below.

   

2. In the screen that opens, find the group name to which you want to attach a MuleSoft Role. You will use this name in the next step.
3. In Okta, navigate to Applications > Applications and then click on MulesSoft in the list.
4. In the screen that opens, click on the Sign-On Options tab, as shown below.

   

5. In the groups field shown above, use the dropdown menu to select the type of condition expression and the enter the condition expression that specifies the groups to send in your SAML assertion in the box.

   In the example above, the condition is a regular expression (Regex) and the specification is .*. This entry specifies sending all groups to which groups the user belongs twith the assertion. You can specify the condition as needed.

6. Click Save.
7. Open your MuleSoft tenant as an Admin, then click Access Management:

   

8. In the screen that opens, select Roles from the Access Management options in the left column. Then choose the role you want to associate with the groups that come from Okta:

   

9. In the screen that opens, Click Edit external group mapping. Enter the group name from step 2 in the Group Name field, then select Okta Identity Provider, or whatever Display Name you entered in step 4a.

   

10. When users who are members of the Okta group that you specified sign into MuleSoft they are automatically assigned to the MuleSoft role you specified for the group.
11. Done!