Contact Free trial Login

Map Single Sign-On Users to Roles

You can map users in a federated organization’s group to a role. Your Anypoint Platform organization must use an external identity provider, such as PingFederate.

After you have mapped them, users in an organization can sign in to Anypoint Platform using the same organizational credentials and access permissions that an organization maintains using SAML, OpenID Connect (OIDC), or LDAP.
This helps to ensure secure credentials and to maintain organizational roles for accessing privileged information.

Anypoint Platform requires different information from your identity provider based on whether you use SAML, OpenID Connect, or LDAP.

Configure Multiple Group Mappings for Single Sign-On Using SAML

If your organization uses single sign-on but also requires you to obtain permissions from multiple groups, you can configure an attribute that contains all of the groups from which you need to obtain individual access permission. In many cases, you can create an array of groups.

For example, assume that your IDP provides your groups in the following format:

<ns2:Attribute Name="Groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <ns2:AttributeValue>Mule_Org_Admin_XXX</ns2:AttributeValue>
</ns2:Attribute>
<ns2:Attribute Name="Groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <ns2:AttributeValue>Mule_Exchange_XXX</ns2:AttributeValue>
</ns2:Attribute>

To prevent security vulnerabilities, Anypoint Platform requires you to create an attribute that encompasses multiple group mappings:

<ns2:Attribute Name="Groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <ns2:AttributeValue>Mule_Org_Admin_XXX</ns2:AttributeValue>
  <ns2:AttributeValue>Mule_Exchange_XXX</ns2:AttributeValue>
</ns2:Attribute>

In the above example of a SAML assertion, the Group Attribute is Groups.

Map SAML Users to Roles

After you have created an attribute that contains your groups, you can create a role to map to groups of users in your organization.

  1. In Anypoint Platform, navigate to Access Management.

  2. Click Identity Providers.

  3. From Identity Providers, select SAML.

  4. Verify that the value in the Group Attribute field matches the name of the SAML attribute that contains the group names.

  5. Click Roles.

  6. Click Add Role.

  7. Specify a role name and description.

  8. Click Add Role.

  9. In the Roles section, click the name of the new role.

  10. Click Set external group mapping.

  11. Name the group to which you want to map.

  12. Click Set names.

  13. Optionally, to map more than one groups claim to the selected role, click Add More and add another groups claim.

  14. Repeat this process for each role that you want to map to an external group.

Configure Multiple Group Mappings for Single Sign-On Using OpenID Connect (OIDC)

External identity providers format groups claims in different ways. Anypoint Platform checks the UserInfo response for the groups claim. If it is not found, it then checks the Token endpoint response.

You can use any identity providers that return groups claims on the UserInfo or Token endpoint response.

Map OIDC Group Users to Roles

You can use groups claims values to create a role for each group of users in your organization.

  1. Obtain a response to the UserInfo or Token endpoint that contains a groups claim from your external identity provider.

  2. In Anypoint Platform, navigate to Access Management.

  3. Click Identity Providers.

  4. From Identity Providers, select OIDC.

  5. If your IdP requires an additional OIDC scope to authorize access to groups claims, enter it in the Group Scope field.

  6. Verify that the JSONata query in Group Attribute JSONata Expression yields an array of group names from either the UserInfo or Token endpoint response.

  7. Click Roles.

  8. Click Add Role.

  9. Specify a role name and description.

  10. Click Add Role.

  11. In the Roles section, click the name of the new role.

  12. Click Set external group mapping.

  13. Name the group to which you want to map. The name of the group must be your groups claim.

  14. Click Set names.

  15. Optionally, to map more than one groups claim to the selected role, click Add More and add another groups claim.

  16. Repeat this process for each role that you want to map to an external group.

Examples of OIDC Group Expressions

The following examples show responses from the UserInfo or Token endpoints that contain groups claims from different external identity providers.

Okta

The following example shows a typical Okta groups claim:

{
 ...
  "groups": [
    "Everyone",
    "groupOne"
  ]
}

Given that groups claim, the JSONata expression is groups.

Auth0

The following example shows a typical Auth0 groups claim:

{
  ...
  "https://anypoint.mulesoft.com/groups": [
    "MyGroup",
    "groupOne"
  ]
}

Given that groups claim, the JSONata expression is https://anypoint.mulesoft.com/groups.

Salesforce

The following example shows a typical Salesforce groups claim:

{
  ...
  "custom_attributes": {
    "PermissionSets": "groupOne,groupTwo"
  }
}

Given that groups claim, the JSONata expression is $split(custom_attributes.PermissionSets, ',').

Configure Multiple Group Mappings for Single Sign-On Using LDAP

You can obtain the information you need to map your LDAP group to a role using a SAML assertion. Note that user management through LDAP is available only for Anypoint Platform Private Cloud Edition.

Map LDAP Group Users to Roles

Using a SAML assertion, you can create a role to map to a group of users in your organization.

  1. In Anypoint Platform, navigate to Access Management.

  2. Click Roles.

  3. Click Add Role.

  4. Specify a role name and description.

  5. Click Add Role.

  6. In the Roles section, click the name of the new role.

  7. Click Set external group mapping.

  8. Copy the string from your SAML assertion AttributeValue to the External Group Name, for example:

    SAML AttributeValue:

    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:type="xs:string">cn=jira-users,ou=groups,dc=muleforge,dc=org</saml:AttributeValue>

    Mapping:

    external identity cfb1e
  9. Click Set names.

  10. Optionally, to map more than one attribute name to the selected role, click Add More and add another attribute.

  11. Repeat this process for each role that you want to map to an external group.

See Also

Was this article helpful?

💙 Thanks for your feedback!

Edit on GitHub