I have worked on interesting API Management project for one of leading bank as Mule Integration Architect, where the requirement is to integrate, SSO Mule Anypoint platform with Azure Active Directory. I would like to share my experience with readers for benefits. I will be describing the solution architecture of implementing SSO with Azure.
Mulesoft to Active Directory SSO flow as described below
|1||User request resource in Anypoint platform through browser (ie: https://anypoint.mulesoft.com/accounts/login/<accountname>)|
|2||Anypoint platform redirect request to IDP ( here Microsoft Azure Active Directory)|
|3||User browser sends an authentication request|
|4||IDP (Azure AD) authenticates user|
|5||IDP sends a SAML2 assertion|
|6||User sends a SAML assertion response|
|7||Anypoint platform responds with a resource requested|
- Mule Anypoint will redirect to Microsoft Azure Active Directory with user credentials provided by enterprise users.
- Azure Active directory authenticates user credential with Azure DB and role that user belongs to.
- Azure Active response with SAML Assertion which will be sent to Anypoint platform with AD directory role.
- The authenticated user mapped into a similar role configured in Mule Anypoint Platform. These roles are configured in the Anypoint platform with different level access privileges to access resource.
- Anypoint platform responds with resource base on the privileges mapped to the role, after authentication is successful. Enterprise User should able to perform tasks that are only allowed to do based on privileges under the roles.
- At this point, the user will have Mule Anypoint platform access. API Access needs to be granted separately by Mule Admin user.
- Roles in Azure AD will be mapped to Mule Anypoint default roles accordingly. Also, these default roles can be customized and able to create a new set of custom roles and correlate against Azure AD.
How these Roles are mapped Azure Active directory
|Mule Default Roles||Description||Azure AD Name||Azure AD Object details|
|API Creators||API Creators||API-PoC-Development||example :419dd700-6448-4ec6-b492-6bac432615c1|
|Cloudhub Developer (Sandbox)||CloudHub for Developers|
|Audit Log Viewers||Audit Log Viewers||API-PoC-Support ( replaced from API-PoC-Security)|
|Exchange Contributors||Exchange Contributors|
|Business User||Business Users||API-PoC-Business|
|API Versions Owner||Owner of all API versions in the organization||API-PoC-Admin|
|Cloudhub Admin (Design)||Cloudhub (Design) Admin users|
|Cloudhub Admin (Sandbox)||Cloudhub (Sandbox) Admin users|
|Cloudhub Admin (UAT)||Cloudhub (UAT) Admin users|
|Exchange Administrators||Exchange Administrators|
|Organization Administrators||Organization Administrators|
|Release-Deployment||For Change Mangement users||Api-PoC-Deployment|
|Exchange Viewers||Exchange Viewers||Public|
|Portals Viewer||Viewer of all portals in the organization|
Azure object details are group names created using Azure portal, MuleSoft Default /custom roles should be mapped against object name in Azure. Then you can add user(s) into the AD group, where they will have only access to certain components for Mule Anypoint platform based on their privileges of Mule role.