I have worked on interesting API Management project for one of leading bank as Mule Integration Architect, where the requirement is to integrate, SSO Mule Anypoint platform with Azure Active Directory. I would like to share my experience with readers for benefits. I will be describing the solution architecture of implementing SSO with Azure.

Mulesoft to Active Directory SSO flow as described below

Seq Action flow
1 User request resource in Anypoint platform through browser (ie: https://anypoint.mulesoft.com/accounts/login/<accountname>)
2 Anypoint platform redirect request to IDP ( here Microsoft Azure Active Directory)
3 User browser sends an authentication request
4 IDP (Azure AD) authenticates user
5 IDP sends a SAML2 assertion
6 User sends a SAML assertion response
7 Anypoint platform responds with a resource requested
Mule User/Roles mapping with Anypoint Platform
  • Mule Anypoint will redirect to Microsoft Azure Active Directory with user credentials provided by enterprise users.
    • Azure Active directory authenticates user credential with Azure DB and role that user belongs to.
    • Azure Active response with SAML Assertion which will be sent to Anypoint platform with AD directory role.
    • The authenticated user mapped into a similar role configured in Mule Anypoint Platform. These roles are configured in the Anypoint platform with different level access privileges to access resource.
    • Anypoint platform responds with resource base on the privileges mapped to the role, after authentication is successful. Enterprise User should able to perform tasks that are only allowed to do based on privileges under the roles.
    • At this point, the user will have Mule Anypoint platform access. API Access needs to be granted separately by Mule Admin user.
    • Roles in Azure AD will be mapped to Mule Anypoint default roles accordingly. Also, these default roles can be customized and able to create a new set of custom roles and correlate against Azure AD.

How these Roles are mapped Azure Active directory

Mule Default Roles Description Azure AD Name Azure AD Object details
API Creators API Creators API-PoC-Development example :419dd700-6448-4ec6-b492-6bac432615c1
Cloudhub Developer (Sandbox) CloudHub for Developers
Audit Log Viewers Audit Log Viewers API-PoC-Support ( replaced from API-PoC-Security)
Exchange Contributors Exchange Contributors
Business User Business Users API-PoC-Business
API Versions Owner Owner of all API versions in the organization API-PoC-Admin
Cloudhub Admin (Design) Cloudhub (Design) Admin users
Cloudhub Admin (Sandbox) Cloudhub (Sandbox) Admin users
Cloudhub Admin (UAT) Cloudhub (UAT) Admin users
Exchange Administrators Exchange Administrators
Organization Administrators Organization Administrators
Release-Deployment For Change Mangement users Api-PoC-Deployment
Exchange Viewers Exchange Viewers Public  
Portals Viewer Viewer of all portals in the organization  

Azure object details are group names created using Azure portal, MuleSoft Default /custom roles should be mapped against object name in Azure. Then you can add user(s) into the AD group, where they will have only access to certain components for Mule Anypoint platform based on their privileges of Mule role.