External identities can be configured for Anypoint Platform to allow single sign-on using SAML 2.0 for user authentication or OAuth 2.0 for client authentication. Supported identity providers include PingFederate, OpenAM, Okta, and others. The document provides instructions for configuring SAML 2.0 SSO with an identity provider and mapping users to roles within Anypoint Platform. It also discusses configuring client authentication with PingFederate or OpenAM and enabling single logout.

1. External Identity

2. • Setting up external identity means that you configure an identity
provider (IdP) to authenticate an acting agent (either an user, a client,
or both) and then assert to Anypoint Platform that said agent has
been validated by it and should be trusted.

3. • This means that you can set up:
• External identities for user management using SAML 2.0
• External identities for client management using OAuth 2.0
• External identities for both user and client management

4. User Management
• The Anypoint Platform can be integrated with your organization’s
external federated identity system allowing your users to have single
sign-on (SSO) access to your Anypoint Platform organization.
• In order to configure it, use the SAML configuration instructions in the
section below and consult your IdPs specific documentation for
instructions on how to apply this configuration for your intended
provider.

5. Identity Providers
• The Anypoint Platform supports SAML 2.0 compliant identity management providers for user management and SSO.
• Although any SAML 2.0 compliant provider can be configured for this use, the following IdPs have been successfully tested as working with Anypoint Platform:
• Ping Federate
• OpenAM
• Okta
• Shibboleth
• ADFS
• onelogin
• CA SiteMinder
• For these providers, the 'Assertion Consumer Service' or 'SAML Assertion URL' is https://anypoint.mulesoft.com/accounts/login/receive-id and the 'entityID' or 'Audience URL' is any string value that identifies your
organization. By convention it is <organizationDomain>.anypoint.mulesoft.com, but any value is acceptable.

6. Instructions for SAML Configuration
• The instructions in this document allow you to configure your Anypoint Platform organization with any of the
supported SAML 2.0 providers for SSO.
• To configure federated identity:
• Configure your SAML provider to set up your Anypoint Platform organization as your audience.
• Set the Assertion Consumer Service to send an HTTP POST request to the following address:
https://anypoint.mulesoft.com/accounts/login/receive-id
• Log in with an administrator account into your Anypoint organization, click on the gear icon in the Nav bar
which will take you to the Access Manager user interface , and select External Identity. If you haven’t set
anything yet, you should see a screen like this
• Click the link for "If you would like to configure single sign on with a SAML 2.0 provider you can get
started here" and then provide the necessary data in the SAML 2.0 form to set up your Anypoint
organization for SSO

7. Federated Organizations - Map Users to Anypoint
Platform Roles
• As of November 2014, Anypoint Platform provides a feature to help you map users in a federated organization’s LDAP group to an Anypoint Role.
• This requires that your Anypoint Platform organization utilizes an external identity provider such as PingFederate.
• This feature enables users in an organization to sign in to Anypoint Platform using the same organizational credentials and access permissions that an
organization maintains using LDAP.
• This ensures credential security and maintains organizational roles for accessing privileged information.
• To support this feature you first need to configure an external identity following any of the methods described above, and then follow the two steps
described below:
• Verify SAML Information
• The SAML assertion is an XML file that is issued by the external identity provider.
• Log into Anypoint Platform and click the External Identity tab to verify your organization’s Identity management information.

8. Client Management
• Client Management allows any client connecting to your application
to identify itself using OAuth 2.0.
• An OAuth client application interacts with the provider´s
authorization server to obtain access tokens needed to call OAuth-
protected services at the Anypoint Platform´s resource server.
• The only OAuth 2.0 supported IdPs that work with Anypoint Platform
are openAM and Ping Federate

9. openAM
• If you want to use openAM for client management and if you’re not
using Anypoint Platform on premises, you need to request that your
account be configured in that way, as you can’t set this up manually.
• Work with your MuleSoft account representative to ensure that we
are aware of your needs for configuring your organization with
PingFederate.
• Complete the OpenAM form and MuleSoft will get back to you within
48 hours with either the completion of the configuration or follow-up
questions to complete the configuration.

10. Ping Federate
• If you want to use Ping Federate for client management and if you’re not
using Anypoint Platform on premises, you need to request that your
account be configured in that way, as you can’t set this up manually.
• Work with your MuleSoft account representative to ensure that we are
aware of your needs for configuring your organization with PingFederate.
• Complete the Ping Federate Form. After you complete this form, MuleSoft
gets back to you within 48 hours with either the completion of the
configuration or follow-up questions to complete the configuration.

11. Single Log Out
• Single log out is important so that a user or user agent can log out of an
authenticated environment and ensure that both service providers and identity
servers process the log out correctly.
• To configure single log out:
• In PingFederate, click the SP Configuration for the Anypoint Platform.
• Go to Browser SSO and click Configure Browser SSO.
• Under SAML Profiles, ensure that these are set:
• IdP-Initiated SSO
• IdP-Initiated SLO
• SP-Initiated SLO
• Go to Protocol Settings and click Configure Protocol Settings.
• Configure a SLO Service Url with the following:

12. • Under Allowable SAML Bindings, click Redirect.
• Under Encryption Policy, make certain that nothing is encrypted.
• Save and click Done out of Protocol Settings and Browser SSO.
• When viewing the SP Configuration for Anypoint Platform, go to Credentials, and
click Configure Credentials.
• Under Signature Verification Settings, click Manage Signature Verification
Settings. Set the Trust Model to Unanchored, and import the attached certificate.
Make it the active certificate.