Nav

To Configure OpenID Connect

This task topic covers two identity management procedures for client registration in OpenID Connect:

  • Dynamic registration

  • Manual registration

MuleSoft verifies support in Anypoint Platform for the following registrations:

  • Clients created dynamically in Okta and OpenAM

  • Clients created manually in Okta, OpenAM, and PingFederate

If you already configured Anypoint Platform as a client application in your identity provider, perform manual registration. Otherwise, if your identity provider supports dynamic client registration, perform dynamic registration. During registration, you need to provide several URLs. The following table contains examples of the URLs you need to provide, depending on your provider, during registration.

URL Name

Okta Example URL

OpenAM Example URL

PingFederate Example URL

Base

https://example.okta.com/oauth2/v1

https://example.com/openam/oauth2

https://example.com:9031

Client Registration

{BASE URL}/clients

{BASE URL}/connect/register

N/A

Authorize

{BASE URL}/authorize

{BASE URL}/authorize

{BASE URL}/as/authorization.oauth2

Token

{BASE URL}/token

{BASE URL}/access_token

{BASE URL}/as/token.oauth2

User Info

{BASE URL}/userinfo

{BASE URL}/userinfo

{BASE URL}/idp/userinfo.openid

To Configure OpenID Connect Dynamically

  1. Log into the master Organization in Anypoint Platform as Administrator.

  2. In Anypoint Platform, click Access Management > External Identity.

  3. From Identity Management, select OpenID Connect.

    The External Identity - Identity Management OpenID Connect form appears.

  4. Fill in the following required fields after obtaining values from your identity provider’s configuration:

    • Client Registration URL

      The URL to dynamically register Anypoint as a client application for your identity provider.

    • Authorize Header

      The authorization header for dynamic client registration request. This is an optional field under the Advanced Settings link. This header is required if the provider restricts registration requests to authorized clients.

      • Okta: This value is SSWS ${api_token}, where api_token is an API token created through Okta.

      • OpenAM: This value is Bearer ${api_token}, where api_token is an API token created through OpenAM.

    • Authorize URL

      The URL where the user authenticates and grants OpenID Connect client applications access to the user’s identity.

    • Token URL

      The URL that provides the user’s identity encoded in a secure JSON Web Token.

    • User Info URL

      The URL that returns user profile information to Anypoint.

  5. Save your configuration.

  6. Sign out and navigate to your organization’s SSO URL, for example:

    https://anypoint.mulesoft.com/accounts/login/{yourOrgDomain}

  7. Sign in through your identity provider to test the configuration.

To Configure OpenID Connect Manually

  1. Log into the master Organization in Anypoint Platform as Administrator.

  2. In Anypoint Platform, click Access Management > External Identity.

  3. From Identity Management, select OpenId Connect.

    The External Identity - Identity Management OpenID Connect form appears.

  4. Click Use manual registration under Client Registration URL.

  5. Create a client application for the Anypoint Platform inside your Identity Provider.

    • Your Identity Provider requires a redirect URI for redirecting authenticated users. Use the automatically generated redirect URI above the Client ID field.

    • Inside your Identity Provider, ensure that your client’s supported scopes include openid, profile, and email.

    • Inside your Identity Provider, ensure that your client uses the authorization_code grant type.

    • Store your Client ID and Client Secret values in a secure place and enter these values in the next step.

  6. Fill in the following required fields after obtaining them from your identity provider’s configuration:

    • Client ID

      The unique identifier that you provided for your manually created client application.

    • Client Secret

      The password, or secret, for authenticating your Anypoint Platform client application with your Identity Provider.

    • Authorize URL

      The URL where the user authenticates and grants OpenID Connect client applications access to the user’s identity.

    • Token URL

      The URL that provides the user’s identity encoded in a secure JSON Web Token.

    • User Info URL

      The URL that returns user profile information to the client app.

  7. Save your configuration.

  8. Sign out and navigate to your organization’s SSO URL, for example:

    https://anypoint.mulesoft.com/accounts/login/{yourOrgDomain}

  9. Sign in through your identity provider to test the configuration.