To Map Users to Roles in an LDAP Group
You can map users in a federated organization’s LDAP group to an Anypoint role. Your Anypoint Platform organization needs to use an external identity provider, such as PingFederate.
After you perform this mapping, users in an organization can sign into Anypoint Platform using the same organizational credentials and access permissions that an organization maintains using LDAP.
This ensures security of credentials and maintains organizational roles for accessing privileged information.
Choose an external identity provider and then configure roles.
To configure a role:
-
In Anypoint Platform, navigate to Access Management.
-
Click Roles.
-
Click Add Role to create a role for each group of users in your organization.
-
Specify a role name and description.
-
Click Add Role to add the role:
-
In the Roles section, click the name of the new role:
-
Click Set external group mapping:
-
Copy the string from your SAML assertion AttributeValue to the External Group Name, for example:
SAML AttributeValue:
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=jira-users,ou=groups,dc=muleforge,dc=org</saml:AttributeValue>Mapping:
-
Click Set names.
To map more than one attribute name to the selected role, click Add More and add another attribute.
-
Repeat this process for each role that you want to map to an external group.
Configure Multiple Group Mappings for Single Sign-On
If your organization uses single sign-on and requires its users to obtain permissions from multiple groups, you can configure a group attribute that contains all the groups you want to use. In many cases, you can create an array of groups.
For example, your IDP may provide your groups in the following format:
<ns2:Attribute Name="Groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <ns2:AttributeValue>Mule_Org_Admin_XXX</ns2:AttributeValue> </ns2:Attribute> <ns2:Attribute Name="Groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <ns2:AttributeValue>Mule_Exchange_XXX</ns2:AttributeValue> </ns2:Attribute>
To prevent security vulnerabilities, Anypoint Platform requires you to create a single group that encompasses multiple group mappings:
<ns2:Attribute Name="Groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <ns2:AttributeValue>Mule_Org_Admin_XXX</ns2:AttributeValue> <ns2:AttributeValue>Mule_Exchange_XXX</ns2:AttributeValue> </ns2:Attribute>