Anypoint Access Management Release Notes

A new connected apps scope, Create BGs under a given org, enables you to use apps that have the client_credentials grant type to create business groups.

The interface that’s used to assign permissions to users, teams, and connected apps is enhanced for improved usability.

For newly created organizations, audit logs now have a default retention period of one year. If your organization was created before July 10, 2023 and you did not manually change the retention period, the default retention period is still six years.

When an organization administrator logs in to Anypoint Platform, they are prompted to verify that their organization is compliant with impending multi-factor authentication enforcement.

The modern user interface is now enabled for new organizations by default.

The usability of the Anypoint Platform Sign in screen is enhanced.

The profile linking capability is now available for all organizations globally.

The openid:google_wif scope is now available for use with connected apps. This scope enables you to configure Anypoint as an IdP for Google Cloud by providing an id_token and an access token during the OAuth2 token flow for client_credentials connected apps.

The Audit Log Query endpoint now applies rate limits (requests per minute) per IP address that vary depending on your control plane:

You can now link your SSO login to other Anypoint Platform profiles that share the same email address. An organization administrator must enable this feature. Only identity providers that use OpenID Connect are supported. This feature is available only for organizations located in the EU control plane.

In the Connected Apps audit logs, the Token Retrieval Success and Token Retrieval Failure entries now have clientIP in their payloads.

To enhance accessibility and usability, the Connected Apps feature’s scope workflow has been polished.

The following pages now have sections showing limits imposed by Anypoint Platform:

Organization administrators can now create a custom confidentiality notification that appears when users log in to their organization.

The Audit Log Query API now supports more efficient querying. For more information, see the tutorial in the Audit Logs documentation.

For improved loading times, the pagination on the Audit Logs page has changed to display many instead of listing the number of entries if that number exceeds 10,000.

If your organization has not opted in to the new and improved features, Access Management now prompts you to try the new features and offers UI prompts to enable smooth adoption.

Business group overviews now have the Access Overview section that enables you to view a list of users who have a specified permission across business groups.

When you select a business group in the Business Groups page, the Settings section for that business group opens by default.

Sliders for vCore allocations have been readded to the Settings section of business groups.

To enhance usability, the Teams feature and permissions workflows have been polished.

Audit logs now collect and display data for the connected apps login action via token retrieval success and token retrieval failure.

Multi-factor authentication (MFA) is now required for all non-SSO user accounts unless they are on their organization’s exemption list. At login, Anypoint Platform now prompts users to configure a verification method if they have not already.

You no longer have the option to make MFA optional across your entire organization.

For enhanced security, Anypoint Platform now prompts non-SSO user accounts to verify their email address.

You can now change the retention period for your organization’s audit logs. To change audit log retention periods, you must have the Audit Log Config Manager permission over your root organization.

The Connected Apps feature now includes generated documentation based on supported scopes and permissions. This documentation is accessible in Access Management > Connected Apps > Scopes Documentation tab.

For enhanced security, Access Management might ask users to re-authenticate before they can modify their email addresses. Similarly, Access Management might ask organization administrators to re-authenticate before they can modify their organization users’ email addresses. This change prevents bad actors from taking advantage of stale browser sessions.

User accounts that are added to an existing organization must configure multi-factor authentication (MFA).

When you create a new organization, multi-factor authentication (MFA) is enabled by default. While it is best to use the Connected Apps feature instead of service accounts, an organization administrator can add service accounts or other user accounts without MFA to an exemption list.

You can now check the retention period for your organization’s audit logs using the Audit Logging API.

You can now configure Azure Active Directory (Azure AD) as a client provider. As your client provider, Azure AD provides a stateless microservice to convert OAuth 2.0 client application registration requests to requests supported by Azure AD. Additionally, configuring Azure AD as a client provider enables you to authenticate and and authorize existing API consumers.

When you configure the Issuer field while adding a client provider, such as Okta, that is compatible with this spec, metadata from $ISSUER/.well-known/oauth-authorization-server is discovered and validated prior to merging. Once the validation is complete, a complete list of available grant types appears. If you want to fetch metadata for validation for an existing client provider, save that client provider again, and the validation occurs automatically.
This change makes the client provider registration process smoother for Okta users. Additionally, this change also enables the use of the Client Credentials grant type.

When you use dynamic client registration to configure a client provider, you can now configure the length of time at which a client provider times out. The minimum timeout value is five seconds, and the maximum value is 20 seconds.

Organization administrators can now configure up to 25 SAML 2.0 or OpenID Connect identity providers (IdPs) for single sign-on.

To support multiple external IdPs, there are new endpoints available for the Access Management API; existing identity provider configurations are unaffected.

In Organization settings and Runtime Manager subscription information, the name of VPN counter is now Network Connections. The Network Connections setting enables you to allocate your VPN connections and AWS Transit Gateway attachments in your organization.

Users who have not enabled multi-factor authentication (MFA) will be prompted to enable MFA weekly until they enable it. While MuleSoft recommends enabling MFA on all user accounts (preferably by requiring it for the entire organization), using MFA is still optional.

Deleted federated users are no longer able to sign in from the SSO login page. Organization administrators must re-enable deleted users before they can continue operations on Anypoint Platform.

You can’t create a Business Group name using special characters. Only the following characters are valid: