-----BEGIN CERTIFICATE----- PUBLIC KEY -----END CERTIFICATE-----
Manual Setup
If you have multiple identity providers in your organization, follow the manual setup instructions.
Prerequisites
To set up the latest version of Anypoint API Community Manager, complete the prerequisite steps and then use the guided setup.
To set up previous versions manually, complete the prerequisite steps and then perform the following steps.
Enable API Community Manager Control Panel
The API Community Manager control panel is the interface your community administrators and operators use to operate your communities. It is available in the App Launcher page, where it is the first icon displayed in the main navigation bar. To ensure that the control panel is available for admin users:
-
In Setup, search for App Manager using the Quick Find box and click App Manager.
-
Locate API Community Manager and, in the menu on the right end of the row, click Edit.
-
Click Navigation Items in the left panel, select ACM Administrator under the Available Items box, and use the arrow buttons to move it to the Selected Items box.
-
Click Save.
-
Click Back at the top right.
-
Log out and log back in to your Salesforce organization.
-
Open App Launcher and click API Community Manager.
-
Verify that the API Community Manager control panel is displayed correctly by navigating to Application Launcher > ACM Administrator.
If you see a message that you have not created a community, then the steps in this task were performed correctly.
Set Up the Data Bridge
The data bridge is the secure connection from Anypoint API Community Manager to your Anypoint Platform organization.
API Community Manager components and data objects use Anypoint Platform as their external data source.
Create a Key Pair
This key pair will be created in Salesforce and used for communication between Salesforce and Anypoint.
-
Click Setup > Security > Certificate and Key Management > Create Self-Signed Certificate.
-
Set Label/Name to
Anypoint
. -
Disable Exportable Private Key.
-
Set Key Size to 2048 or larger.
-
Click Save.
-
Click Download Certificate.
The public key is saved on your local machine, and you will use it in the following steps.
Create Connected App in Anypoint
-
Click Access Management > Connected Apps > Create App.
-
Choose a name.
-
Enable App acts on behalf of a user.
-
In the section Grant types enable JWT Bearer.
-
Copy the public key from the file downloaded in the previous steps and paste it into the public key text area.
The certificate must have the correct format, such as this:
-
Set Website URL to
https://login.salesforce.com
. -
In the section Redirect URIs add
http://localhost
.Connected apps require redirect URIs but this configuration does not use them.
-
In the section Who can use this application? select Members of this organization only.
-
In the section Scopes add Background Access and Full Access.
-
Click Save.
You receive a client ID and a client secret. This configuration uses the certificate and does not use the client secret. Save the client ID so you can use it in the following steps.
Identity Provider Data
The following steps require the identity provider data you prepared in the Installation Prerequisites.
Create Named Credential
The following instructions use URLs for the US cloud that begin with https://anypoint.mulesoft.com/
. If you are using the EU cloud, substitute https://eu1.anypoint.mulesoft.com/
. If you are using MuleSoft Government Cloud, substitute https://gov.anypoint.mulesoft.com/
.
-
Click Setup > Security > Named Credentials.
-
Create a named credential with the name
Anypoint
. -
Set URL to
https://anypoint.mulesoft.com
. -
Go to the Authentication section.
-
Set Identity Type to Per User.
-
Set Authentication Protocol to JWT Token Exchange.
-
Set Token Endpoint Url to
https://anypoint.mulesoft.com/accounts/api/v2/oauth2/token
. -
Set Issuer to the client ID of the connected app you saved previously.
-
Set Per User Subject to one of the following formulas.
The guided setup uses a slightly different formula in the
IDP_ID
field, but either formula works.-
If you are using an identity provider with SAML:
-
To find the identity provider ID, run this request:
curl --location --request GET 'https://anypoint.mulesoft.com/accounts/api/organizations/<YOUR_ORG_ID>/identityProviders' \ --header 'Authorization: Bearer <TOKEN>'
-
Replace
<YOUR_ORG_ID>
with your organization ID and replace<TOKEN>
with your token. In the response, find the line with the provider_id:"provider_id": "01234567-89ab-cdef-0123-456789abcdef",
-
Replace
IDP_ID
with the identity provider ID."v2|IDP_ID|" & $User.Username & "|" & $User.FirstName & "|" & $User.LastName & "|" & $User.Email & "|[\"Community User\"]"
For example:
"v2|83685668-9e8a-49c2-9d9a-7a7c89391cce|" & $User.Username & "|" & $User.FirstName & "|" & $User.LastName & "|" & $User.Email & "|[\"Community User\"]"
-
-
If you are using an identity provider with OpenID Connect, replace
ORGANIZATION_ID
with the organization ID from your Anypoint account."openid-ORGANIZATION_ID|" & $User.Username & "|" & $User.FirstName & "|" & $User.LastName & "|" & $User.Email & "|[\"Community User\"]"
-
-
Set Audiences to
https://anypoint.mulesoft.com/accounts/api/v2/oauth2/token
. -
Set Token Valid for to 60 minutes (the Anypoint default) or less.
-
Set JWT Signing Certificate to the key that you created previously as described in the section Create a Key Pair.
-
In the Callout Options section, enable Generate Authorization Header.
Modify External Data Source
-
Click Setup > Integrations > External Data Source > Exchange.
-
Set URL to
callout:Anypoint/odatabridge/odata.svc/
. -
Go to the Authentication section.
-
Set Identity to Anonymous.
-
Set Authentication Protocol to No Authentication Protocol.
-
Click Save.
-
Click Setup > Integrations > External Data Source > Exchange.
-
In the section Custom HTTP Headers, set X-Auth-Proto to the value
'JWT'
, including the single quotes. -
Click Save.
User Configuration
Give your user the Exchange contributor permission:
-
In your Anypoint Platform organization, click Access Management > Users.
-
Select your user.
-
Click Permissions > Add permissions.
-
Ensure that your user has the permission Exchange Contributor in each business group.
Give community users the Exchange viewer permission:
-
Ensure that you have Exchange Administrator permissions.
-
In your Anypoint Platform organization, navigate to Access Management and click Teams.
-
Create a new team named Community Users.
-
Click Settings.
-
Set the parent team to everyone in the organization.
-
In External IdP Groups, set Group Name to Community User and set Type to Member.
-
Click Permissions > Add permissions and add the permission Exchange Viewer.
When prompted, select all business groups with any assets that you want community users to be able to view.
-
Manually add the permission Exchange Viewer to any users who were invited before you created the team.
After each user logs in to the community, the user is visible in Anypoint Platform.