SSO using PingOne (PingIdentity) in Anypoint Platform

 

In this tutorial we will demonstrate how can we Implement SSO using PingOne(PingIdentity) External Identity Provider for Mulesoft Anypoint Platform

First we will explain about the terminology used to implement SSO

  • SSO: Single sign-on (SSO) allows users to sign on to all their applications and services with one set of credentials. It gives employees and customers secure, one-click access from anywhere, on any device, and it reduces the number of separate accounts and passwords they need to manage.
  • Identity Management: You can configure the identity management in mulesoft anypoint platform to setup users for single sing-on(SSO), there are couple of standard for single sign-on.
  • SAML: Security Assertion Markup Language (SAML) is an XML-based open-standard that provides authentication between an IdP and a service provider. It is one of the major authentication protocols used today and one of the first to be used for federated access.
  • Open Id: OpenID Connect (OIDC) is an authentication protocol, which introduces an identity layer on top of the authorization framework: OAuth 2.0. In in a way, it is an extension of OAuth 2.0. OIDC is a fully developed protocol for both authentication and authorization, making heavy use of JSON security tokens (JSON web token) to communicate user attributes between the service provider and the IdP.

There are below identity providers which supports both Open ID and SAML 2.0

  • PingFederate (versions: 6, 7, 8), PingOne
  • OpenAM (version: 14)
  • Okta
  • Salesforce

PingOne: PingOne for Enterprise delivers one-click access for any user, to any application, on any device. It’s the simple and fast way to provide single sign-on (SSO) to an unlimited number of applications, it is alternative to ping federate and currently most of the companies are using Ping One for external identity provider

First step is to configure the External Identity Provider as ping one

Complete the registration for ping identity on below URL

https://www.pingidentity.com/en/lp/d/p14e-trial.html

Activate the account once we get the activation email in registered email

Login into ping identity URL, and configure the repository(this is the first step to configure the SSO)

https://admin.pingone.com/web-portal/cas/config/idpng#/summary

 

We will choose P1(PingOne) which is native cloud directory offers centralized administration and self service user registration, click on P1

 

Click on Next

 

Configure the attributes

 

Add the user which will be added as part of Anypoint platform and used to login in to Anypoint platform

Here we will configure the User Name and Password with Email

 

After user has created for PingOne, configure the application for SSO

 

Click on new SAML application

 

Configure the next step

Configure the below parameters

 

 

  • Primary Certificate for SLO – Download the certificate from below URL and import the same

http://docs.mulesoft.com/downloads/access-management/anypoint-platform-slo.pem

 

 

Add the Application attributes

 

Add the group access

 

Review all steps configured

 

Download the SAML Metadata file for further use to configure the SAML In identity Provider in anypoint platform

Configuration is completed and the application is active

Implement SSO Using PingOne (PingIdentity) External Identity Provider

 

Next step is to configure the SAML in anypoint platform

Login into Anypoint platform-> click on identity provider->SAML 2.0

 

Import the download file as IDP Metadata(as mentioned in previous step) all the entries will be filled automatically

 

Provide the Audience (domain-name.anypoint.mulesoft.com)

 

Click on Create, Identity provider is configured successfully and enabled

 

If you configure your identity provider to handle user information assertion, users must log into Anypoint Platform using the following URL:

https://anypoint.mulesoft.com/accounts/login/{your_org_domain}

login in to below url with correct domain name(Please see the Organization Configuration to check domain Name)

https://anypoint.mulesoft.com/accounts/login/mulesy-07

 

It will redirect to identity provider and ask you to change the password, complete the below steps

Implement SSO Using PingOne (PingIdentity) External Identity Provider

 

Provide the username and password

Implement SSO Using PingOne (PingIdentity) External Identity Provider

 

User will be redirected to Anypoint platform, you can see below it is login with john.k as user name under Mulesy organization

Implement SSO Using PingOne (PingIdentity) External Identity Provider

 

We can also see user is provisioned as john.k under Anypoint platform which would only be visible to organization admin

Implement SSO Using PingOne (PingIdentity) External Identity Provider

 

Ref:

https://docs.mulesoft.com/access-management/sso-prerequisites-about

https://docs.mulesoft.com/access-management/managing-users

https://docs.mulesoft.com/access-management/single-log-out-task

 

  
Thank you for taking out time to read the above post. Hope you found it useful. In case of any questions, feel free to comment below. Also, if you are keen on knowing about a specific topic, happy to explore your recommendations as well.
 
For any latest updates or posts on our website, you can follow us on LinkedIn. Look forward to connecting with you there.


Share this:
Subscribe
Notify of
guest
4 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Shani Jaiswal
Shani Jaiswal
1 year ago

Simple and detailed explanation . Was able to make it work in a single shot without any issues.

Last edited 1 year ago by Shani Jaiswal
Andres
Andres
1 year ago

Very well done! *claps*

Excellent tutorials, slick explanation.