Contact Free trial Login

About SSO Prerequisites and Limitations

This topic describes the prerequisites and limitations for using SSO within Anypoint Platform.

Prerequisites

Before using SSO, ensure that you have performed the following:

  • Configure your identity provide to send the username and email in your assertion.

  • Configure Anypoint Platform to map the username and email to the expected attribute name. If you do not configure this setting, login fails with a 403 unauthorized error message.

  • Configure the SAML assertion of the identity provider as signed, but unencrypted. The identity provider issues the SAML assertion as an XML file which is sent through HTTP as a POST request.

Client Considerations

Be aware of the following considerations related to client behavior:

  • User accounts created before configuring your federated organization remain within the organization. However, users can only login through the Anypoint Platform sign in page. They cannot login from the redirected login page of the identity provider.

  • Existing non-federated users can continue to work as normally with the following exceptions:

    • If a user session times out, the user is redirected to the federated identity login page instead of the generic one. Links and bookmarks that identify the organization redirect the user to the federated login page, which fails for non-federated users.

    • If you configure your identity provider to handle user information assertion, users must log into Anypoint Platform using the following URL:

      https://anypoint.mulesoft.com/accounts/login/{your_org_domain}

Limitations

  • OpenID Connect does not support single logout.

  • OpenID Connect does not support role mapping.

  • If a SAML user belongs to certain groups, Anypoint Platform does not automatically grant equivalent roles in the organization.

  • Anypoint Platform does not generate the SAML assertion for single sign on. Your IdP generates the Sign On URL that you configure.

  • Only the SHA-1 algorithm is supported for SAML digital signatures. SHA-256 is not supported.

  • External Identity configuration is available only at the organization level. You cannot configure an external identity provider for a business group.

Was this article helpful?

💙 Thanks for your feedback!

Edit on GitHub