Anypoint Access Management Release Notes

In addition to Authorization Header, you can now use short-lived bearer access tokens when configuring an external OpenID Connect (OIDC) identity provider (IdP). This method enhances security by allowing you to control the token lifespan and restrict scopes to only those that are necessary.

You can now choose the client secret expiration duration when you configure a Microsoft Entra ID client provider.

Connect your Anypoint Platform organization with trusted Salesforce organizations.

Enable, remove, and repair connections to Salesforce organizations.

Enable Einstein for Anypoint Code Builder through a free, shared trial Salesforce organization.

View capabilities, such as invocable actions and Einstein that are enabled for your Anypoint Platform organization through a connected Salesforce organization.

You can now access the Settings page tab for users in three different ways:

The ability to add new PingFederate client providers is deprecated. You can continue to use and manage existing PingFederate client providers.

The Audit Log Query API now returns versioned object information, which is captured at the time of log generation. Previously, queries returned only the latest object information, and you had to opt in to receive versioned information. This enhancement is now standard for query results. However, the data model for query results remains unchanged.

You can now update Azure AD Client secrets in Anypoint Platform access management. For more information, see Client Secrets.

You can now manage connected apps at the business group level. Previously configured connected apps are automatically associated with your root organization. Note that users who have the Organization Administrator permission in a business group can manage only the connected apps that are configured within the respective business group.

The Audit Log Query API now enables you to specify a query parameter when you call the API. This opt-in feature enables API responses to include versioned object information that was captured when the audit log was generated. For more information, see the Audit Log Query API in Exchange.

The Telemetry Exporter feature in Anypoint Monitoring enables you to export audit log data to third-party analytics and observability apps.

The modern UI is now the only Access Management experience for all organizations. Organizations that had access to the legacy UI can no longer switch to this view. The modern UI includes the following enhancements:

As part of the modern UI adoption, the following features and functions have moved:

As part of the modern UI adoption, the following features have been deprecated:

The Anypoint Platform Sign Up page includes the following new fields:

The connected app scope assignment, Permission changes, now logs audits together under a single entry with the corresponding sub-action (Add assignments, Replace assignments, and Delete assignments) instead of multiple entries for each assignment.

The modern UI is now the default Access Management experience for all organizations. The modern UI provides a more accessible and intuitive user experience while enabling you to use additional features, such as custom confidentiality notifications and limits pages across Access Management.

A new connected apps scope, Create BGs under a given org, enables you to use apps that have the client_credentials grant type to create business groups.

The interface that’s used to assign permissions to users, teams, and connected apps is enhanced for improved usability.

For newly created organizations, audit logs now have a default retention period of one year. If your organization was created before July 10, 2023 and you did not manually change the retention period, the default retention period is still six years.

When an organization administrator logs in to Anypoint Platform, they are prompted to verify that their organization is compliant with impending multi-factor authentication enforcement.

The modern user interface is now enabled for new organizations by default.

The usability of the Anypoint Platform Sign in screen is enhanced.

The profile linking capability is now available for all organizations globally.

The openid:google_wif scope is now available for use with connected apps. This scope enables you to configure Anypoint as an IdP for Google Cloud by providing an id_token and an access token during the OAuth2 token flow for client_credentials connected apps.

The Audit Log Query endpoint now applies rate limits (requests per minute) per IP address that vary depending on your control plane:

You can now link your SSO login to other Anypoint Platform profiles that share the same email address. An organization administrator must enable this feature. Only identity providers that use OpenID Connect are supported. This feature is available only for organizations located in the EU control plane.

In the Connected Apps audit logs, the Token Retrieval Success and Token Retrieval Failure entries now have clientIP in their payloads.

Access Management’s modern UI is now enabled by default for new organizations. Organizations that still use the legacy UI can migrate to the modern UI using the Try New Features dialog in the Access Management navigation menu.

To enhance accessibility and usability, the Connected Apps feature’s scope workflow has been polished.

The following pages now have sections showing limits imposed by Anypoint Platform:

Organization administrators can now create a custom confidentiality notification that appears when users log in to their organization.

The Audit Log Query API now supports more efficient querying. For more information, see the tutorial in the Audit Logs documentation.

For improved loading times, the pagination on the Audit Logs page has changed to display many instead of listing the number of entries if that number exceeds 10,000.

If your organization has not opted in to the new and improved features, Access Management now prompts you to try the new features and offers UI prompts to enable smooth adoption.

Business group overviews now have the Access Overview section that enables you to view a list of users who have a specified permission across business groups.

When you select a business group in the Business Groups page, the Settings section for that business group opens by default.

Sliders for vCore allocations have been readded to the Settings section of business groups.

To enhance usability, the Teams feature and permissions workflows have been polished.

Audit logs now collect and display data for the connected apps login action via token retrieval success and token retrieval failure.

Multi-factor authentication (MFA) is now required for all non-SSO user accounts unless they are on their organization’s exemption list. At login, Anypoint Platform now prompts users to configure a verification method if they have not already.

You no longer have the option to make MFA optional across your entire organization.

For enhanced security, Anypoint Platform now prompts non-SSO user accounts to verify their email address.

You can now change the retention period for your organization’s audit logs. To change audit log retention periods, you must have the Audit Log Config Manager permission over your root organization.

The Connected Apps feature now includes generated documentation based on supported scopes and permissions. This documentation is accessible in Access Management > Connected Apps > Scopes Documentation tab.

For enhanced security, Access Management might ask users to re-authenticate before they can modify their email addresses. Similarly, Access Management might ask organization administrators to re-authenticate before they can modify their organization users’ email addresses. This change prevents bad actors from taking advantage of stale browser sessions.

User accounts that are added to an existing organization must configure multi-factor authentication (MFA).

When you create a new organization, multi-factor authentication (MFA) is enabled by default. While it is best to use the Connected Apps feature instead of service accounts, an organization administrator can add service accounts or other user accounts without MFA to an exemption list.

You can now check the retention period for your organization’s audit logs using the Audit Logging API.

You can now configure Azure Active Directory (Azure AD) as a client provider. As your client provider, Azure AD provides a stateless microservice to convert OAuth 2.0 client application registration requests to requests supported by Azure AD. Additionally, configuring Azure AD as a client provider enables you to authenticate and authorize existing API consumers.

When you configure the Issuer field while adding a client provider, such as Okta, that is compatible with this spec, metadata from $ISSUER/.well-known/oauth-authorization-server is discovered and validated prior to merging. Once the validation is complete, a complete list of available grant types appears. If you want to fetch metadata for validation for an existing client provider, save that client provider again, and the validation occurs automatically.
This change makes the client provider registration process smoother for Okta users. Additionally, this change also enables the use of the Client Credentials grant type.

When you use dynamic client registration to configure a client provider, you can now configure the length of time at which a client provider times out. The minimum timeout value is five seconds, and the maximum value is 20 seconds.

Organization administrators can now configure up to 25 SAML 2.0 or OpenID Connect identity providers (IdPs) for single sign-on.

To support multiple external IdPs, there are new endpoints available for the Access Management API; existing identity provider configurations are unaffected.

In Organization settings and Runtime Manager subscription information, the name of VPN counter is now Network Connections. The Network Connections setting enables you to allocate your VPN connections and AWS Transit Gateway attachments in your organization.

Users who have not enabled multi-factor authentication (MFA) will be prompted to enable MFA weekly until they enable it. While MuleSoft recommends enabling MFA on all user accounts (preferably by requiring it for the entire organization), using MFA is still optional.

Manage users and permissions across multiple business groups

Define permissions and then assign them to multiple users in one click

Set global permissions (for example, give everyone in your organization the Exchange Viewer permission)

Share Exchange assets with a specific group of users

You can now enable multi-factor authentication (MFA) as a sign-in requirement across your entire organization.

You can now easily rotate SAML 2.0 SSO keys. You can generate a key or upload an existing public/private key pair.

Organization administrators can configure whether SAML SSO can be initiated by Anypoint Platform (service provider-initiated SSO), their external identity provider (identity provider-initiated SSO), or both.

You can now log in using SSO from the Anypoint Platform login page via your organization’s domain. This domain is available on your user profile page.

When the permission scopes change for an approved connected app, an organization administrator must approve the new set of scopes.

A VPN counter is added under Business Group settings to allow a fine-grained allocation of purchased VPNs within your organizations.

Audit log dates now display a timestamp for a year.

When configuring an external identity provider, users can now disable server certificate validation. See Configure OpenID Connect Client Management.

Enablement of non-SSO users for your organization allows organization administrators to invite and authenticate users outside of the external SSO configured for your organization.

Organization administrators can enable and disable automapper capability for Flow Designer under the organization settings in Access Manager. See the Flow Designer documentation for more information.

You can enable client deletion in Anypoint Platform, which allows deletions of clients within Anypoint Platform. See Configure OpenID Connect Client Management.

You can enable client deletion and updates in IdP, which allows updates and deletions of external clients in the configured IdP through an outbound call made by Anypoint Platform. To use this feature, you should opt-in to client deletion within Anypoint Platform.

The Audit Log screen and a downloadable CSV file now include environment names for events from API Manager, Runtime Manager, CloudHub, Partner Manager, and MQ.

Access Management Overview