Map Single Sign-On Users to Roles or Teams

You can map users in a federated organization’s group to a team or role. Your Anypoint Platform organization must use an external identity provider, such as PingFederate.

After you have mapped them, users in an organization can log in to Anypoint Platform using the same organizational credentials and access permissions that an organization maintains using SAML, OpenID Connect (OIDC), or LDAP.
This helps to ensure secure credentials and to maintain organizational structure for accessing privileged information.

Anypoint Platform requires different information from your identity provider based on whether you use SAML, OpenID Connect, or LDAP.

Configure Multiple Group Mappings for Single Sign-On Using SAML

If your organization uses single sign-on but also requires you to obtain permissions from multiple groups, you can configure an attribute that contains all of the groups from which you need to obtain individual access permission. In many cases, you can create an array of groups.

For example, assume that your IDP provides your groups in the following format:

<ns2:Attribute Name="Groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <ns2:AttributeValue>Mule_Org_Admin_XXX</ns2:AttributeValue>
</ns2:Attribute>
<ns2:Attribute Name="Groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <ns2:AttributeValue>Mule_Exchange_XXX</ns2:AttributeValue>
</ns2:Attribute>

To prevent security vulnerabilities, Anypoint Platform requires you to create an attribute that encompasses multiple group mappings:

<ns2:Attribute Name="Groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <ns2:AttributeValue>Mule_Org_Admin_XXX</ns2:AttributeValue>
  <ns2:AttributeValue>Mule_Exchange_XXX</ns2:AttributeValue>
</ns2:Attribute>

In the above example of a SAML assertion, the Group Attribute is Groups.

Verify that the value in the Group Attribute field matches the name of the SAML attribute that contains the group names.

Configure Multiple Group Mappings for Single Sign-On Using OpenID Connect (OIDC)

External identity providers format groups claims in different ways. Anypoint Platform checks the UserInfo response for the groups claim. If it is not found, it then checks the Token endpoint response.

Use groups claims values to create a team or role for each group of users in your organization:

  1. Obtain a response to the UserInfo or Token endpoint that contains a groups claim from your external identity provider.

  2. If your IdP requires an additional OIDC scope to authorize access to groups claims, enter it in the Group Scope field.

  3. Verify that the JSONata query in Group Attribute JSONata Expression yields an array of group names from either the UserInfo or Token endpoint response.

Examples of OIDC Group Expressions

The following examples show responses from the UserInfo or Token endpoints that contain groups claims from different external identity providers.

Okta

The following example shows a typical Okta groups claim:

{
 ...
  "groups": [
    "Everyone",
    "groupOne"
  ]
}

Given that groups claim, the JSONata expression is groups.

Auth0

The following example shows a typical Auth0 groups claim:

{
  ...
  "https://anypoint.mulesoft.com/groups": [
    "MyGroup",
    "groupOne"
  ]
}

Given that groups claim, the JSONata expression is https://anypoint.mulesoft.com/groups.

Salesforce

The following example shows a typical Salesforce groups claim:

{
  ...
  "custom_attributes": {
    "PermissionSets": "groupOne,groupTwo"
  }
}

Given that groups claim, the JSONata expression is $split(custom_attributes.PermissionSets, ',').

Configure Multiple Group Mappings for Single Sign-On Using LDAP

You can obtain the information you need to map your LDAP group to a team or role using a SAML assertion. Note that user management through LDAP is available only for Anypoint Platform Private Cloud Edition.

Example string from your SAML assertion AttributeValue to the External Group Name:

<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:type="xs:string">cn=jira-users,ou=groups,dc=muleforge,dc=org</saml:AttributeValue>

Mapping:

external identity cfb1e

Map SSO Users to Teams

If you delete your IdP configuration, your associated team mappings are also deleted.

You can map SSO users to teams by including their group names.

If a user has multiple group names that map to a single team, the group name that grants the most permissions is used. For example, if the Acme team has a Member group of engineering-all and a Maintainer group of engineering-managers, a user with both engineering-all and engineering-managers group names becomes a maintainer. If a user is explicitly designated as a maintainer of a team and has a group name that gives them member status, the group name is ignored, and the user remains a maintainer.

  1. Log in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Teams.

  4. Click Add Team

  5. Specify a team name and parent.

  6. Click Add Team.
    A new team is created.

  7. In the Teams section, click the name of the new team.

  8. Click the Settings tab.

  9. In the Group Name field, enter the group name that you want to map:

    • SAML: The group attribute that comes from your array of SAML groups

    • OIDC: The groups claims values that come from the UserInfo or Token endpoint responses

    • LDAP: The string from your SAML assertion AttributeValue

  10. Select a membership type for the group name.
    If you select Maintainer, users who have that group name become team maintainers for this team. If you select Member, users who have this group name become team members.

  11. Click Add.

  12. Click Save Changes.
    The SSO users associated with the group you designated are assigned to the team.

Map SSO Users to Roles

You can create a role to map to groups of SSO users in your organization.

  1. Log in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Business Groups.

  4. Click the name of the organization you want to access.

  5. Click the Roles tab.

  6. Click Add Role.

  7. Specify a role name and description.

  8. Click Add Role.

  9. In the Roles section, click the name of the new role.

  10. Click Set external group mapping.

  11. Under External group names, enter one of the following:

    • SAML: The group attribute that comes from your array of SAML groups

    • OIDC: The groups claims values that come from the UserInfo or Token endpoint responses

    • LDAP: The string from your SAML assertion AttributeValue

  12. Click Update.
    The SSO users associated with the groups you designated are assigned the role.

See Also

Was this article helpful?

💙 Thanks for your feedback!

Edit on GitHub