Obtaining an API Bearer Token Using a SAML Assertion
Use a SAML 2.0 IdP-initiated SSO assertion to obtain an API bearer token for Anypoint Platform APIs so federated users within your organization can use the token to access Anypoint Platform APIs.
| Obtaining an API bearer token using a SAML assertion works only for SSO flows that are initiated from an Identity Provider (IdP). Service provider-initiated SSO doesn’t support unsolicited assertions. For more information, see Initiate the SSO Flow with an Identity Provider. |
The bearer token provides access to the platform APIs a user has permission to access. Each bearer token is associated with a specific user who is granted roles and permissions for an API. If a user attempts to access an API that they do not have permissions to access the API returns a 401 Unauthorized error.
The validity of the bearer token is determined by the value defined for the Default Session Timeout property. This is configured in the root organization properties. See Manage Root Business Group Settings for more information.
Initiate the SSO Flow with an IdP
To successfully exchange a SAML assertion for an API bearer token, make sure your SSO flow is initiated from the IdP and not the service provider (SP).
| SP-Initiated (Standard Login) | IdP-Initiated (Assertion Exchange) | |
|---|---|---|
Starting point |
Anypoint Platform signin page |
IdP portal or custom script |
InResponseTo |
Required |
Must be empty |
Use case |
User signs in on the Anypoint Platform signin page |
CLI, scripts, automation |
Result |
Browser cookie |
Bearer token |
-
Launch Anypoint Platform from your IdP’s portal or use the IdP’s IdP-initiated SSO URL that’s configured for the Anypoint Platform application.
-
Don’t start the SSO flow from Anypoint Platform URLs such as
/accounts/login, deep links, or bookmarks to Anypoint Platform services. Those paths won’t produce an assertion that can be exchanged for a bearer token. -
Check the
<samlp:Response>element to ensure it doesn’t include anInResponseToattribute. IdP-initiated responses are unsolicited and must have an emptyInResponseTo, for example:<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <!-- IdP-initiated example: note there is NO InResponseTo attribute on the Response --> <saml:Issuer>https://idp.example.com</saml:Issuer> <!-- ... --> </samlp:Response>If
InResponseTois present, the exchange fails with an error similar to:Unauthorized: IDP-initiated SSO – InResponseTo: must be empty.
Obtain an API Bearer Token Using a SAML Assertion
Use an IdP-initiated SAML response to obtain an API bearer token for Anypoint Platform. Capture the Base64-encoded SAML response from your IdP and POST it to the Anypoint Platform token endpoint to receive the token.
-
Obtain a SAML response for your identity provider as described in View a SAML Response in Your Browser.
Record this response to use in the following step.
-
Obtain the bearer token by running the following
curlcommand. Replace<SAML_RESPONSE>in this example with the SAML response you obtained in the previous step.The SAML response must be Base64-encoded. If the SAML response string is URL encoded, you must decode the string before running the curlcommand.curl -X POST \ https://anypoint.mulesoft.com/accounts/login/:org-domain/providers/:providerId/receive-id \ -H 'Content-Type: application/json' \ -H 'X-Requested-With: XMLHttpRequest' \ -d '{ "SAMLResponse": "<SAML_RESPONSE>" }'
After obtaining the bearer token federated users within your organization can use it to access an API. For example, you can access the API using one of the following methods:
-
Anypoint CLI: A user can access a platform API by supplying the
-beareroption to theanypoint-clicommand. See Anypoint CLI for more information. -
curl: A user can access a platform API by passing the bearer token when accessing an API endpoint as shown in the following:
curl -X GET \ https://anypoint.mulesoft.com/accounts/api/me \ -H 'Authorization: Bearer <BEARER_TOKEN>'