About SSO Prerequisites and Limitations

Observe the following prerequisites:

  • Configure your IdP to send the your user name and email in your assertion.

  • Configure Anypoint Platform to map the user name and email to the expected attribute name. Otherwise, the login fails with a 403 unauthorized error message.

  • The identity provider (IdP) issues the SAML assertion as an XML file. Ensure that this assertion is signed, but unencrypted, for verification of its integrity because the assertion itself is POSTed through HTTPS.

  • Prepare users for the following changes.

    • User accounts that you create before configuring your federated organization remain. However, your users can login only through the Anypoint Platform Sign In page, not the IdP redirected custom login page.

    • With external identity enabled, the invite button is disabled and no new non-federated users can be added. Existing non-federated users can continue to work normally, with some exceptions:

      If a user session times out, the user is redirected to the federated identity login page instead of the generic one. Links and bookmarks that identify the organization redirect the user to the federated login page, which fails for non-federated users.

    • If you configure an IdP to handle user information assertion, users need to log into Anypoint Platform at the following location:{yourorgDomain}


  • Federated users cannot use platform APIs.

  • OpenID Connect does not support single logout.

  • OpenID Connect does not support role mapping.

    If a SAML user belongs to certain groups, Anypoint Platform does not automatically grant equivalent roles in the organization.

  • Anypoint Platform does not generate the SAML assertion for the single sign on. Your IdP generates the Sign On URL that you configure.

  • External Identity configuration is only available at Organization level. Business Unit level external identity configuration is not currently supported.

In this topic: