Nav

External Identity

Setting up external identity means that you configure an identity provider (IdP) to authenticate an acting agent (either an user, a client, or both) and then assert to Anypoint Platform that said agent has been validated by it and should be trusted.

This means that you can set up:

  • External identities for user management using SAML 2.0 or LDAP (LDAP for Private Cloud Edition users only)

  • External identities for client management using OAuth 2.0

  • External identities for both user and client management

External identity applies to the entire organization and all business groups.
User management and client management can not be set different for different business groups; the settings are global to your organization.

Check the overview below for a detailed example of these use cases.

In order to set external identities, you need to own the proper entitlements. If you don’t have the External Identity option in your Access Management menu please contact your sales representative or customer success manager.

User Management

End users within your organization might need to access certain services hosted in the Anypoint Platform. As end users, they might expect to log in only once to your system (usually an authorization server of your federated identity provider), and access the resources in the Anypoint Platform without having to remember a new pair of username and password.

The Anypoint Platform can be integrated with your organization’s external federated identity system allowing your users to have single sign-on (SSO) access to your Anypoint Platform organization.

The process flow below describes how this works:

external-identity-decbd

The Anypoint Platform only supports SSO that’s been initiated by the Identity Provider.
Service initiated SSO is not supported.

Client Management

APIs are essential to grant self-service access to your resources to your different API consumers.
From your application point of view, said consumers are clients.

Managing API clients allows you to leverage the platform client management capability to:

  1. Grant a client permission to use the API

  2. Apply specific policies to your clients

  3. Revoke a client’s credentials

external identity b0a95

A client application must first be registered in the platform, so it has its own pair of client Id and secret to obtain the OAuth tokens.
An OAuth client application would then interact with your authorization server and obtain access tokens to send authenticated requests to your resource server.

Anypoint Platform allows you to store the client id and secret in an external IdP server.
The platform generates both client id and secret and stores them in the external IdP.

The only OAuth 2.0 supported IdPs that work with Anypoint Platform are openAM and Ping Federate.

User and Client Management

Users might be expected to interact with a client application (for example a third party mobile app) that consumes some resource (for example, an exposed API) published on the Anypoint Platform.

Said users might expect to log in to the service in their third party mobile app and automatically inform the service provider that said client is acting on their behalf.

It is possible for you to verify your user’s identity and authorize a client application to access restricted user’s data in your resource server using tokens issued by an authorization server in response to the user’s explicit authorization.

external identity 09ab8

Currently OpenAM and PingFederate are the only supported IdPs to manage users and client management simultaneously.
Follow the openAM for client management or the PingFederate for client management instructions respectively to configure this.

Optionally, you can configure an External Oauth 2.0 service provider to delegate authorization for third-party applications.