Contact Us 1-800-596-4880

Configure OpenID Connect Identity Management

This task topic covers two identity management procedures for client registration in OpenID Connect:

  • Dynamic registration

  • Manual registration

MuleSoft verifies support in Anypoint Platform for the following registrations:

  • Clients created dynamically in Okta and OpenAM

  • Clients created manually in Salesforce, Okta, OpenAM, and PingFederate

Please note, that although integration with the aforementioned Identity providers have been officially tested, Anypoint platform supports the OpenID Connect Protocol. This means that, any Identity Provider that supports the protocol should be able to integrate unless they diverge from the specification.

If you already configured Anypoint Platform as a client application in your identity provider, perform manual registration. Otherwise, if your identity provider supports dynamic client registration, perform dynamic registration. During registration, you need to provide several URLs. The following table contains examples of the URLs you need to provide, depending on your provider, during registration.

URL Name Okta Example URL Salesforce Example URL OpenAM Example URL PingFederate Example URL

Base

https://example.okta.com/oauth2/v1

https://domain.my.salesforce.com/services/oauth2

https://example.com/openam/oauth2

https://example.com:9031

Client Registration

{BASE URL}/clients

{BASE URL}/clients

{BASE URL}/connect/register

N/A

Authorize

{BASE URL}/authorize

{BASE URL}/authorize

{BASE URL}/authorize

{BASE URL}/as/authorization.oauth2

Token

{BASE URL}/token

{BASE URL}/token

{BASE URL}/access_token

{BASE URL}/as/token.oauth2

User Info

{BASE URL}/userinfo

{BASE URL}/userinfo

{BASE URL}/userinfo

{BASE URL}/idp/userinfo.openid

Configure OpenID Connect Dynamically

  1. Log in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Business Groups menu, select your root organization.

  4. In the Access Management navigation menu, click Identity Providers.

  5. In the Identity Management page, select OpenID Connect.

    The External Identity - Identity Management OpenID Connect form appears.

  6. Fill in the following required fields after obtaining values from your identity provider’s configuration:

    • Client Registration URL

      The URL to dynamically register Anypoint as a client application for your identity provider.

    • Authorize Header

      The authorization header for dynamic client registration request. This is an optional field under the Advanced Settings link. This header is required if the provider restricts registration requests to authorized clients.

      • Okta: This value is SSWS ${api_token}, where api_token is an API token created through Okta.

      • OpenAM: This value is Bearer ${api_token}, where api_token is an API token created through OpenAM.

    • Authorize URL

      The URL where the user authenticates and grants OpenID Connect client applications access to the user’s identity.

    • Token URL

      The URL that provides the user’s identity encoded in a secure JSON Web Token.

    • User Info URL

      The URL that returns user profile information to Anypoint.

  7. Save your configuration.

  8. Sign out and navigate to your organization’s SSO URL, for example:

    https://anypoint.mulesoft.com/accounts/login/{yourOrgDomain}

  9. Log in through your identity provider to test the configuration.

The dynamically registered application at the identity provider has only default settings. If you want to configure additional functionalities (such as group mappings), you must update the settings on the provider side. Configuring dynamically registered applications is not currently supported.

Configure OpenID Connect Manually

  1. Log in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Identity Providers.

  4. From Identity Management, select OpenId Connect.

    The External Identity - Identity Management OpenID Connect form appears.

  5. Click Use manual registration under Client Registration URL.

  6. Create a client application for the Anypoint Platform inside your Identity Provider.

    • Your Identity Provider requires a redirect URI for redirecting authenticated users. Use the automatically generated redirect URI above the Client ID field.

    • Inside your Identity Provider, ensure that your client’s supported scopes include openid, profile, and email.

    • Inside your Identity Provider, ensure that your client uses the authorization_code grant type.

    • Store your Client ID and Client Secret values in a secure place and enter these values in the next step.

  7. Fill in the following required fields after obtaining them from your identity provider’s configuration:

    • Client ID

      The unique identifier that you provided for your manually created client application.

    • Client Secret

      The password, or secret, for authenticating your Anypoint Platform client application with your Identity Provider.

    • Authorize URL

      The URL where the user authenticates and grants OpenID Connect client applications access to the user’s identity.

    • Token URL

      The URL that provides the user’s identity encoded in a secure JSON Web Token.

    • User Info URL

      The URL that returns user profile information to the client app.

    • OpenID Connect Issuer

      The location of the OpenID Provider. For most providers, /.well-known/openid-configuration is appended to the issuer to generate the metadata URL for openID Connect specifications. For Salesforce, you must provide the value for issuer.

  8. Save your configuration.

  9. Sign out and navigate to your organization’s SSO URL, for example:

    https://anypoint.mulesoft.com/accounts/login/{yourOrgDomain}

  10. Log in through your identity provider to test the configuration.