Thursday, 14 April 2022

Home / MuleSoft-Config / Single Sign On (SSO) steup in Anypoint Platform using Okta SAML

Single Sign On (SSO) steup in Anypoint Platform using Okta SAML

in


In any organization identity management becomes the biggest challenge when applications and websites increases and employees need to access all these applications and websites as per their permissions, because both (employees and organization) have to manage multiple credentials to access these applications and websites and it also leads security threads.


Single sign-on (SSO) provides the solution to overcome above issues. SSO enables employees to access all applications and websites with single credential.


MuleSoft Anypoint Platform enables Identity management to setup single sign-on (SSO) with external identity providers like Okta, Salesforce, Ping Federate and many more...


Any one of the below SSO standards may be used to configure Identity management

1. OpenID Connect: End user Identity verification by an authorization server including SSO

2. SAML 2.0: Web-based authorization including cross domain SSO


In this post we will concentrate more about SAML and its configuration steps with Okta

Objective : At the end of this blog you will learn

    • How to setup SSO for Anypoint Platform using Okta
    • How to create user in Okta and sync automatically in Anypoint
    • How to map group between Okta and Anypoint with basic privilege's

PreRequisite

1. Okta account with Admin access --> you may create using Create Okta Account

2. At least four email IDs which will be used as users in Okta and Anypoint

3.Anypoint account with Access Management role --> You may create using Create Anypoint Account


Lets understand How SAML works ?

      i.      User attempt to login Anypoint Platform using below URL https://anypoint.mulesoft.com/accounts/login/{your_org_domain}

   ii.       Anypoint redirect to identity providers like Okta

   iii.      User browser sends authentication request to Okta

   iv.      Okta authenticates user and sends an assertion to browser where assertion may contain username, email, group etc.

   v.       Browser sends SAML response to Anypoint Platform


High Level Steps to Configure SSO using SAML

  • Create Application on Okta and Provide the SAML2.0 configuration details like single sign-on URL of  Anypoint and audience URI along with attribute statements and group attribute
  • After configuration you will have IDP meta data which will be imported into Anypoint
  • Post that login to Anypoint and then create the Identity provider and import the above IDP meta data 
  • At the end grant the permission to users and test the implementation


Let’s begin the actual implementation

Login to Okta and click on the application and then Click on Create App Integration


Then select SAML2.0 and click Next


Then enter the General setting details

App name: MuleSoft Okta Demo and click next


Next Configure SAML which contains two sections 

Section A: SAML Setting which includes below

  • General: In this section provide mainly   
    • Single sign-on URL --> The location where SAML assertion is sent with http post  and its value will be https://anypoint.mulesoft.com/accounts/login/:org-domain/providers/:providerId/receive-id and this value will be replaced once configuration at both sides (Anypoint as well as Okta) completes 
    • Audience URI  --> The application defined unique identifier that is the intended audience of the SAML assertion and its value will be {organisation}.anypoint.mulesoft.com and question is how to get anypoint organisation id. To get it login to anypoint and click on the organization as below and value will be like 9402c32b-1e47-456a-9da3-04cf4d1e7581 so complete URI will be 9402c32b-1e47-456a-9da3-04cf4d1e7581.anypoint.mulesoft.com

  • Attribute statement: This is optional and it will assign the assertion values like firstname, lastname and email from okta user properties firstName, lastName and email and these values will be created at Anypoint   
    • Attribute name: firstname
    • Attribute format: Unspecified
    • Attribute value: user.firstName

    • Attribute name: lastname
    • Attribute format: Unspecified
    • Attribute value: user.lastName

    • Attribute name: email
    • Attribute format: Unspecified
    • Attribute value: user.email              

  • Group Attribute Statement: This will map group from okta having multiple users assigned with the Anypoint group, you will see more about it later in this post
Post entering above details click next and select the feedback details like I'm Okta customer adding an internal app and select app type as "This is an internal app that we have created" and click finish


Now you have done with the Okta side configuration next step is assign user to the app that you have just created "MuleSoft Okta Demo" as below 

Go to application and select application  MuleSoft Okta Demo then click on Assignments then click on assign drop down and select Assign to People

Then search the user and assign the selected user to application like below


At the end, get the IDP metadata and configure into service provider ie Anypoint. To get IDP meta data goto application and select the MuleSoft Okta Demo application then click on sign-on then click on View Setup Instructions like below


 After clicking to View Setup Instructions, new page will open which will following details which will be configured at Anypoint

Identity Provider Single Sign-On URL:https://dev-10006408.okta.com/app/dev-10006408_mulesoftoktademo_1/exk4njibd2yAIXBCC5d7/sso/saml

Identity Provider Issuer:http://www.okta.com/exk4njibd2yAIXBCC5d7

X.509 Certificate: 

-----BEGIN CERTIFICATE-----

XXXXXunu6uoxpdOW+VkA==

-----END CERTIFICATE-----

Optional: This will contain all the above three details which you need to configure in MuleSoft

Copy the content of the optional filed into xml file to configure into Anypoint else you need to provide these details manually for each related fields in Anypoint

Now login to Anypoint and navigate to Access Management
Then go to Identity providers and click on SAML 2.0 as below

After clicking on SAML2.0, import the IDP meta data and enter the name of the identity. As soon as you will import the meta data it will automatically fill the sign-on url of Okta and issuer along with public key generated as certificate in Okta and click on save changes and configuration will look like below





Post providing all the above details click on save changes

Now Its time to test
Hit the URL https://anypoint.mulesoft.com/login/domain/abcorganization to login to Anypoint. As soon you hit this URL two ways of login will be prompted one is for Okta SSO login and other will be Anypoint credentials login like below

Now click on continue with SAML identity provider Okta and you will be redirected to Okta and you might observed error like user is not assigned to this application


 This error is because of Okta user is not assigned to the application "Mule Okta Demo" that you have created into Okta. So first assign the user into Okta like below





After assignment again try to login Anypoint using same URL https://anypoint.mulesoft.com/login/domain/abcorganization.
This time you will be redirected to Okta and user will be validated and post validation user will be redirected to Anypoint using URL "https://anypoint.mulesoft.com/accounts/login/:org-domain/providers/:providerId/receive-id" but it will throw error 502 Bad Gateway below because post setup in Anypoint generated providedID is not updated into Okta



To get the provider id, login to Anypoint and navigate to Access management then Identity Providers and Copy the Assertion Consumer Service URL

  

To replace this updated URL login to Okta and navigate to Application and click on the MuleSoft Okta Demo Application then click on General and go to SAML setting and Single sign-on url
https://anypoint.mulesoft.com/accounts/login/:org-domain/providers/:providerId/receive-id will be replaced by https://anypoint.mulesoft.com/accounts/login/abcorganization/providers/7604c4dc-f1e9-48ec-a2f0-6e23c8dbf107/receive-id

Save and click next and finish

Again login to Anypoint using https://anypoint.mulesoft.com/login/domain/abcorganization but still you will not able to login and you will see error message like assertion value is wrong  because in Okta attribute statement value for email is user.Email which is wrong so you need to change it with user.email

Post change hit the url https://anypoint.mulesoft.com/login/domain/abcorganization again  and this time you will logged in successfully to Anypoint platform but you do not have any access
Point to be noted
1. User will create automatically in Anypoint
2. User do not have any permission by default to Anypoint platform to perform any activity

There is no access like (API Manager, Design Center etc...) to Okta demo user
So there are two options either provide the access manually in Anypoint or grant the permissions to the IDP group in Anypoint we will explore both the options 

Option1: Add permissions manually to newly created user by Okta
Login to Anypoint Platform with admin user and navigate to Access Management and then user and newly created user will be visible

 
Click on the user and then select the user add permission ie API Manager and then select all the permission under API Manger and then select the Organization and done.



Now you have access to API manger like below



Option 2: Here you will see how create to external IDP group in Anypoint and add some default permission and then map to Okta so that newly created user should have default access to Anypoint


In order to achieve this  login to Okta and navigate to Group and then click on add group and enter the name of the group : Mulesoft_Developer_Okta and click save

After that click on the created group and assign the application Mule Application Demo.

And assign user as well to this group


Now click to application and add the group statement into MuleSoft Okta Demo application. In this step group from Mulesoft and group created in Okta will be mapped and it will be send back to Anypoint as an assertion. To do this navigate to application then select the application "MuleSoft Okta Demo" then click on General click on edit of SAML Setting
Once you will map groups then login to Anypoint to configure these groups here as well. Click on 
 roles and then select the Cloud Hub (Design) Admin users and set the external group mapping to Mulesoft_Developer_Okta which will be verified at runtime.

After adding click on permission and then click on Design Center and then select the permission for Design Center Developer like below




 After that click on Identity providers and click on SAML Identity provider Okta and then click on Advance Setting and add the group attribute as MuleDeveloper


Now test the implementation, Okta user should be able to access design center. To test login to https://anypoint.mulesoft.com/login/domain/abcorganization and click on Design Center and user is able to access the design center


Open Point: Can deleted users from Okta will delete automatically from Anypoint
Note: By default user deleted from Okta will not delete from Anypoint you have to manually delete from Anypoint
 
Conculusion
We have seen how to Setup SSO in anypoint using Okta SAML and provide some default permission to users

About Vivek Kumar
I am a technology enthusiast and love to explore, write and share new technologies and tools

Related Posts:
Tags

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)