Contact Us 1-800-596-4880

SSO Prerequisites and Limitations

When using SSO within Anypoint Platform, there are some prerequisites and limitations to be aware of.

Before You Begin

Before using SSO, ensure that you have performed the following:

  • Configure your identity provider to send the username and email in your assertion.

  • Configure Anypoint Platform to map the username and email to the expected attribute name. If you don’t configure this setting, signin fails with a 403 unauthorized error message.

  • Configure the SAML assertion of the identity provider as signed and optionally encrypted using

    • either AES128 or AES256 block encryption algorithm,

    • RSA-OAEP (including MGF1 with SHA1) key transport algorithm, and

    • Anypoint Platform Signing Certificate which can be downloaded from the SAML 2.0 SSO page.

      After you configure the SAML assertion for the identity provider, the identity provider issues the SAML assertion as an XML file, which is sent through HTTP as a POST request.

Client Considerations

Be aware of the following considerations related to client behavior:

  • User accounts created before configuring your federated organization remain within the organization. However, users can only signin through the Anypoint Platform signin page. They cannot signin from the redirected signin page of the identity provider.

  • Existing non-federated users can continue to work as normally with the following exceptions:

    • If a user session times out, the user is redirected to the federated identity signin page instead of the generic one. Links and bookmarks that identify the organization redirect the user to the federated signin page, which fails for non-federated users.

    • If you configure your identity provider to handle user-information assertion, users must sign into Anypoint Platform using the following URL:

      https://anypoint.mulesoft.com/accounts/login/{your_org_domain}

Limitations

  • OpenID Connect does not support single signout.

  • If a SAML user belongs to certain groups, Anypoint Platform does not automatically grant equivalent permissions in the organization.

  • Anypoint Platform does not generate the SAML assertion for single sign on. Your IdP generates the sign-on URL that you configure.

  • External identity configuration is available only at the organization level. You cannot configure an external identity provider for a business group.

  • If you delete a user from your identity provider, you must also manually delete the user from your Anypoint Platform organization.

  • If you delete an SAML identity provider and recreate one with the same configuration, it’s considered a new identity provider. Users signing in to Anypoint Platform using this configuration are associated with the new identity provider. If existing user accounts are still associated with the deleted IdP, duplicate users appear because they are associated with a different IdP.