Author: Vaibhav Patkar

This article will look into the configurations needed to use the AWS Single Sign-On (SSO) service to login to the MuleSoft Anypoint Platform. AWS SSO is the identity provider/manager that will be used for managing identities needed to access the MuleSoft Anypoint Platform.

Benefits of Identity Management

  1. All users and groups can be defined on the AWS side
  2. Centralized user and group management for all IT applications in an organization, including MuleSoft Anypoint Platform
  3. No need to maintain separate credentials for accessing the MuleSoft Anypoint Platform
  4. Single landing page to access all SSO enabled applications of an organization

Prerequisites

  1. AWS account and AWS organization need to be present. If an organization is not present then please create one by following the steps in the document – https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org.html
  2. A MuleSoft Anypoint Platform Account with administrator access
  3. There should be 2 environments created in the Anypoint Platform account – development and UAT. We will use this environment to enable role based access to users from AWS SSO

Key Component

  1. MuleSoft Anypoint Platform – An enterprise platform for designing, developing, and managing organization-wide APIs and integrations
  2. SAML– Security Assertion Markup Language (SAML) is an industry-standard for logging users into applications based on their sessions in another context. This standard is widely used for single sign-on (SSO) and has significant advantages over logging in using the traditional username/password combination
  3. AWS Single Sign On – Service provided by AWS to centrally manage access to multiple AWS accounts and business applications. This service provides users with single sign-on access to all their assigned accounts and applications from one place 

Enabling AWS SSO

  1. Sign in to the AWS Management Console with your AWS Organizations management account credentials
  2. Open the AWS SSO console
  1. Choose Enable AWS SSO. This will take a few seconds. Once SSO is enabled you will see the screen below –
  1. Note down the User Portal URL. This is the URL that will be used to sign in to AWS SSO

AWS SSO – Creating application for MuleSoft Anypoint Platform

  1. Navigate to Applications and click Add a new application
  1. Search for Anypoint in the search bar. The search result screen should display the MuleSoft Anypoint application. Select this application and click the Add application button in the bottom right corner
  1. In the AWS SSO Metadata section, click the download link next to the AWS SSO SAML metadata file. Save this file in your system. This file will be later referred to configure Anypoint Platform
  1. Login to Anypoint platform. Navigate to Access Management -> Identity Providers. Click SAML 2.0 in the Identity Providers dropdown
  1. In the configuration screen, for the Import IdP Metadata section, click the Choose file button. Upload the file downloaded in the previous step. This should auto populate most of the fields on the configuration screen
  1. For the Audience field, copy the last part of the value in the Issuer field and append it with .anypoint.mulesoft.com

For the Group Attribute field, enter the value as role.

Click the Create button.

  1. Edit the newly created configuration. Click the link for Anypoint service provider metadata. This will download the Anypoint metadata file. Save it on your system.
  1. Go back to the AWS SSO page. Navigate to Applications -> MuleSoft Anypoint. Click the link highlighted below to upload the Anypoint metadata file from the previous step.

Click Save Changes

  1. Click the Attribute mappings tab. Replace the value of the role key to ${user:groups} and click the save changes button. This attribute will be used for role mapping from AWS SSO to Anypoint platform roles

AWS SSO – Creating User and Groups

We will create a group in AWS SSO named MuleSoft-Developers-UAT. Any user added to this group will have access to the UAT environment in the Anypoint Platform.

Steps

  1. Click the Groups menu and click the Create group button

Add the Group name and Description and click the Create button.

  1. Click the newly created group to open it
  1. Note the Group ID of the group. This will be needed when configuring corresponding roles in Anypoint Platform.
  1. Select the Users menu and click the Add user button
  1. Add a new user with details as shown below –

Click the Next: Groups button

  1. Select the Checkbox for MuleSoft-Developers-UAT group and click Add User button

This will add a new user, assign it to the group

Note down the login details for the new SSO user from the screen below

  1. Navigate to Applications -> Assigned users tab.Click Assign users button.

Select Groups tab and select the MuleSoft-Developers-UAT group and click the Assign users button.

Anypoint Platform – Role Mapping

When a user logs in through AWS SSO, they will have a role (MuleSoft-Developers-UAT in our case) assigned to them. This is the role defined at AWS SSO side. In Anypoint Platform, we need to map this role to a role defined in the Anypoint Platform.

Steps

  1. Login to Anypoint platform and navigate to Access Management -> roles. Click Add role
  1. Add the role details as below – 

Role Name – MuleSoft UAT

Role Description – Role that maps to AWS SSO MuleSoft-Developers-UAT group

Click Add role button

  1. Open the newly created role and click the link Set external group mapping

Enter the external group name as – <Group ID of the group MuleSoft-Developers-UAT in AWS SSO>. Click the Set names button.

  1. For the newly created MuleSoft UAT role, click Runtime Manager and assign the UAT environment with all permissions as per screenshot below 

Testing SSO Configuration

To test if our SSO configuration is working properly, follow the steps below –

  1. Open the SSO Sign In URLin a new browser window. You can get this URL by following the navigation –  AWS SSO -> Settings -> User Portal URL

You will see a screen like –

  1. Enter the username for the user you created earlier
  1. Enter the password that was generated earlier when we created the user and click Sign in.
  1. Set a new password for this user
  1. You should see the screen below on successful login
  1. Click the MuleSoft Anypoint tab shown on the screen. You should be signed in automatically to your Anypoint Platform and should see the screen below 
  1. To check if the role assignment is successful, navigate to Runtime Manage. You should see the screen below which confirms that the user has access only to the UAT environment
  1. Click the UAT environment and you should be able to see all the applications deployed to this environment

This confirms that role assignment was successful. 

Leave a Comment