Contact Us 1-800-596-4880
  1. Homepage
  2. API Experience Hub
  3. Managing Your Portal
  4. Enabling Single Sign-On for Your Portal

  5. Configuring SSO

Configuring SSO

Configure identity management in Anypoint Platform and Salesforce to set up users for single sign-on (SSO).

API Experience Hub supports multiple IdPs for SSO.

Before You Begin

Before configuring SSO, ensure you have the following permissions, context, and setup:

  • Organization Administrator permission or role in the main Anypoint Platform organization.

  • System Administrator role in Salesforce.

  • Experience with identity management and setting up identity providers for SSO.

  • Review Access Management’s Identity Provider documentation to understand identity management for Anypoint Platform.

  • In the identity provider of your choice, the users or identities must exist for the users with access to the application. For information, see the identity provider’s documentation.

  • Review the information in Gathering Setup Information for SSO.

Step 1: Enable SSO for Your Portal

To enable SSO, an identity provider is required for Anypoint Platform to create identities in Anypoint Platform for Salesforce users.

In this step, you create an application in the identity provider for the API Experience Hub portal, enable the ability to send group information in the application configuration, configure groups, and configure the default identity provider. Performing these steps require you to move back and forth between applications and the identity provider application to copy or add information.

Create and Configure an Application

Create and configure an application using one of these example methods:

Okta OpenID Connect

Create a new application for the API Experience Hub portal in the identity provider using OpenID Connect.

  1. In Okta, create an OpenID Connect Web application. For more information, see Create OIDC app integrations.

  2. From the General Settings section, complete these fields:

    Field Value

    App integration name

    Enter a name for the app.

    Grant type

    Select Authorization Code.

    Assignments

    Select Limit access to selected groups.

    Selected group(s)

    Enter the name of the group who must have access to the application.

  3. Verify that your identity provider sends the expected claims listed in the Required Claims and Attributes.

  4. Configure the claims that the application sends.

    For example, for OpenID Connect for Okta, configure the groups claim using these steps:

    1. From the Sign On tab, click Edit from the OpenID Connect ID Token section.

    2. From Groups claim type, select Filter.

    3. From Groups claim filter, enter groups.

    4. Select Matches regex for the expression then enter .* for wildcard.

      An example of the Groups Claim Filter

  5. Configure an authentication provider for Salesforce using OpenID Connect.

    You set up the auth provider or SSO settings in Salesforce with the identity provider application information.

    1. From the OpenID Connect application, get these configuration values:

      • Client ID

      • Client Secret

      • Authorize Endpoint URL

      • Token Endpoint URL

      • User Info Endpoint URL

    2. In Salesforce, go to Setup.

    3. In the Quick Find box, enter Auth, and then select Auth. Providers.

    4. Click New and select OpenID Connect for the Provider Type.

    5. Complete these fields:

      Field Value

      Provider Type

      OpenID Connect

      Name

      Enter a name for the provider.

      Consumer Key

      Enter the client ID from the identity provider.

      Consumer Secret

      Enter the client secret from the identity provider.

      Authorize Endpoint URL

      Enter https://{domainofOktaorg}.okta.com/oauth2/v1/authorize*.

      Token Endpoint URL

      Enter https://{domainofOktaorg}.okta.com/oauth2/v1/token.

      User Info Endpoint URL

      Enter https://{domainofOktaorg}.okta.com/oauth2/v1/userinfo`.

      Default Scopes

      profile openid email groups

      Registration handler

      AEHPortalRegistrationHandler

      Execute Registration As

      Select an administrator user.
      An example of Salesforce Auth. Provider

    6. Click Save.

  6. Configure the redirect URIs for the portal.

    To configure the redirects, use your 15 digit organization ID and 18 digits org ID and add a URL for each organization ID.

    1. In the Okta application, select the General tab. Add the following URLs for Sign-in redirect URIs:

Map the Application to the Identity Provider for Anypoint Platform NOTE: Skip this step if you’re configuring a new identity provider for Anypoint Platform. Go to Step 2: Add Salesforce Identity Providers.

If there’s an existing identity provider already configured for Anypoint Platform, you must map the identity provider ID with the anypoint_idp_id by adding and configuring a new custom attribute called anypoint_idp_id.

If usernames for the portal and Anypoint Platform don’t match, add another custom attribute called anypoint_username to force an update for existing identity provider users to match the identity in the portal to the users in Anypoint Platform.

To map anypoint_idp_id to with the Anypoint Platform identity provider ID for OKTA:

  1. In the Okta application, go to Directory > Profile Editor and select the portal application that you just configured.

  2. Click Add Attributes to create a new attribute called anypoint_idp_id.

  3. Complete these fields:

    Field Value

    Display name

    anypoint_idp_id

    Value name

    anypoint_idp_id

  4. Save your changes.

  5. Go to Access Management > Identity Providers and click the identity provider.

  6. From the browser URL, copy the 32 digit ID.

    An example of the 32-digit ID located in the browser URL.

  7. Go to Okta > Directory > Profile Editor and click Mappings

  8. Paste the ID into the empty field for the new anypoint_idp_id attribute. The ID must be in quotes.

  9. From the yellow arrow drop-down menu, select Apply mapping on user create and update.

    An example of a mapped anypoint_idp_id attribute

  10. Save your changes.

  11. Apply the mappings to all users in the profile.

    If the user already exists and logs in to the portal before the anypoint_idp_id is set, the default identity provider AEH Users - ${salesforceOrganizationId} is used. To prevent the user from being duplicated, the user isn’t added to the new identity provider specified in the anypoint_idp_id field.

    If the user already exists in Salesforce and uses SSO to log in to the portal, the API Experience Hub Member User permission set is assigned to that user (if no permission set is already assigned).

  12. To reconcile the usernames assignment for a single identity in the portal and Anypoint Platform:

    1. In the Okta application, go to Directory > Profile Editor and select the portal application that you just configured.

    2. Click Add Attributes to create a new attribute called anypoint_username.

    3. Complete these fields:

      Field Value

      Display name

      anypoint_username

      Value name

      anypoint_username

    4. Save your changes.

    5. Click Mappings.

    6. In the empty field of the new anypoint_username attribute, enter String.substringBefore(user.login, "@"). Since Okta usernames are email-based, this expression removes the email domain.

  13. From the yellow arrow drop-down menu, select Apply mapping on user create and update.

    Example of a mapped anypoint_username attribute

    1. Save your changes.

Okta SAML

Create a new application for the API Experience Hub portal in the identity provider using SAML. For more information, see Create SAML app integrations in the Okta documentation.

  1. From Okta, create an SAML application and enter a name for your SAML application in General Settings.

  2. Select Do not display application icon to users and click Next.

  3. In SAML Settings, complete these fields:

    Field Value

    Single Sign-On URL

    Enter the URL for the portal login.

    Use this for Recipient URL and Destination URL

    Select this option.

    Audience URI (SP Entity ID)

    Enter https with the Salesforce domain or example, https://{salesforcedomain}.com.

    Name ID format

    EmailAddress

    Application username

    Okta username

    Update application username on

    Create and update
    An example of SAML Settings

  4. Review the Required Claims and Attributesfor information about what API Experience Hub expects for claims to properly map users in the identity provider.

  5. In the Attribute Statements (optional) section, configure the SAML integration by adding these custom attributes. For supported formats, see the supported format for user attributes listed in Required Claims and Attributes:

    Name Name format Value

    first_name

    Unspecified

    user.firstName

    last_name

    Unspecified

    user.lastName

    email

    Unspecified

    user.email

    groups

    Unspecified

    (",", getFilteredGroups({"00gdkat3p5RCvkQQC5d7", "00gdjgk337kYDxtE35d7"}, "group.name", 40))
    An example of the SAML Attribute Statements

    The example IDs, 00gdkat3p5RCvkQQC5d7 and 00gdjgk337kYDxtE35d7 correspond to the groups that you want to send. Ensure that you send all Anypoint Platform groups when you’re configuring Okta in Anypoint Platform. Otherwise, the user can lose access.

  6. Click Next, select I’m an Okta customer adding an internal app and click Finish.

  7. Select the Assignments tab and select Groups.

  8. Click Assign and select Assign to groups.

  9. From the list, click Assign from the row of the specific group and click Done.

  10. Select the Sign On tab, and click View SAML setup instructions to see instructions about how to configure SAML for your application.

    A button that shows the SAML setup instructions

  11. Get this information from the instructions page to configure the Single Sign-on Settings tab in Salesforce:

    • Identity Provider Single Sign-On URL

    • Identity Provider Issuer

    • X.509 Certificate (download the certificate)

      SAML instructions to configure SAML

  12. Go to Salesforce > Setup and search for Single Sign-On Settings.

  13. From Single Sign-On Settings in the Federated Single Sign-On Using SAML section, select SAML Enabled and click Save.

  14. From Single Sign-On Settings, click Edit and complete these fields:

    Field Value

    Issuer

    Match the Identity Provider Issuer from the View SAML setup instructions.

    Entity ID

    Match the Audience Restriction you set in the application.

    Identity Provider Certificate

    Upload the certificate previously downloaded from the View SAML setup instructions.

    SAML Identity Type

    Assertion contains the Federation ID from the user object.

    SAML Identity Location

    Identity is in the NameIdentified element of the Subject statement.

    Identity Provider Login URL

    Match the Identity Provider Single Sign-On URL from the View SAML setup instructions.

    Custom Logout URL

    Okta URL

    User Provisioning

    Enabled

    User Provisioning Type

    Custom SAML JIT with Apex Handler

    SAML JIT Handler

    AEHPortalRegistrationHandler

    Executed Handler As

    Select a system administrator.
    An example of the SAML Single Sign-On Settings
Microsoft Entra ID SAML for Cloud

Create a new application for the API Experience Hub portal in the identity provider using Microsoft Entra ID. Microsoft Entra ID for OpenID Connect isn’t supported.

  1. In Azure, create a SAML Enterprise application:

    1. Go to the Azure administration portal or enter https://portal.azure.com in a browser.

    2. Go to Microsoft Entra Id (Active Directory service), click + Add, and select Enterprise application.

    3. In Browse Microsoft Entra Gallary, select the Salesforce application.

    4. Enter a name like AEH Portal and click Create.

  2. Configure the single sign-on settings for the application:

    1. From Manage, select Single sign-on and select SAML.

    2. From Basic SAML Configuration, click Edit.

    3. Complete these required fields:

      Field Value

      Identifier (Entity ID)

      https://<YOUR_DOMAIN>.my.site.com/aeh

      Reply URL (Assertion Consumer Service URL)

      https://<YOUR_DOMAIN>.my.site.com/aeh/login

      Sign on URL

      https://<YOUR_DOMAIN>.my.site.com/aeh/login

      Logout Url (Optional)

      https://<YOUR_DOMAIN>.my.site.com/aeh/services/auth/sp/saml2/logout

    4. Save your changes.

  3. Configure the required first name, last name, email, and username claims that the application sends:

    1. From Attributes & Claims, click Edit.

    2. Click Add a group claim, select All Groups or any other option except None, and click Save.

      At least one group must be associated to perform a group mapping in a later step.

    3. Add a new claim for each required claim by clicking + Add new claim and completing these fields for each claim:

      • First Name

        Field Value

        Name

        firstName

        Source attribute

        user.givenname

      • Last Name

        Field Value

        Name

        lastName

        Source attribute

        user.surname

      • Email

        Field Value

        Name

        email

        Source attribute

        user.email

      • Username

        Field Value

        Name

        email

        Source attribute

        user.principalname

    4. Save your changes.

  4. If this single sign-on is already configured in Anypoint Platform, map the application to the identity provider for Anypoint Platform using a new custom attribute, anypoint_idp_id.

    1. Click + Add new claim and complete these fields:

      Field Value

      Name

      anypoint_idp_id

      Source attribute

      "<identity_provider_id>" The ID must be in quotes.

      To get the identity provider ID, go to Access Management > Identity Providers, click the identity provider, and copy the 32 digit ID from the browser URL.

      An example identity provider ID in Access Management

    2. Save your changes.

  5. If usernames for the portal and Anypoint Platform are different, add another custom attribute named anypoint_username. This attribute updates existing identity provider users to match the identities in the portal and Anypoint Platform.

    1. Click + Add new claim and complete these fields:

      Field Value

      Name

      anypoint_username

      Source attribute

      Define an attribute for example, ExtractMailPrefix (user.mail)

    2. Save your changes.

    3. From Source, select Transformation and complete these fields:

      Field Value

      Transformation

      ExtractMailPrefix()

      Parameter 1

      Attribute

      Attribute name

      user.mail

    4. Click Add.

    5. From Manage claim, save your changes.

    6. Create single sign-on settings in Salesforce:

      1. Select Single Sign-on and click Download from Federation Metadata XML in the SAML Certificates section.

      2. Go to Salesforce > Setup > Single Sign-On Settings and click New from Metadata File.

      3. From Metadata File, click Choose File, select the Federation Metadata XML file, and click Create.

      4. Complete these fields:

        Field Value

        Name

        Enter a name.

        API Name

        Enter a name.

        Entity ID

        Enter the value from the Azure Enterprise application’s Identifier (Entity ID) field. For Example, https://<YOUR_DOMAIN>.my.site.com/aeh.

        SAML Identity Type

        Assertion contains the Federation ID from the User object.

        Just-in-time User Provisioning

        Enable User Provisioning Enabled.

        User Provisioning Type

        SAML JIT with Apex handler.

        SAML JIT Handler

        AEHPortalRegistrationHandler.

        Execute Handler As

        Select a system administrator.

      5. Save your changes.

Step 2: Add Salesforce Identity Providers

After the identity provider is configured for Salesforce, add and enable the identity provider from the API Experience Hub UI. When the identity provider is enabled, users can log in to the portal using this identity provider.

  1. Go to API Experience Hub > User management and click Login settings.

  2. From the Single sign-on (SSO) section, scroll down to step 2 Add Salesforce identity providers.

  3. Click Select identity provider and select an option from the drop-down menu.

  4. Click + Add identity provider and move the slider to Enabled.

Step 3: Add Group Mappings

When setting up SSO for the portal, your users must have an identity in both Salesforce and Anypoint Platform. SSO users are mapped to teams using their group names. You must map your users to teams using Access Management. API Experience Hub provides an out-of-the-box team called AEH Portal - ${salesforceOrganizationId}_${salesforceCommunityId} that is added automatically as a team in Access Management.

Add group mappings by adding the user to the corresponding profile in API Experience Hub:

  1. Go to Access Management > Teams.

  2. Click AEH Portal Guests and click AEH Portal Members > External IdP Groups.

  3. Complete these fields:

    Field Value

    Group Name

    Enter AEH Members or enter the value of the groups claim.

    Provider Name

    The name of the corresponding Salesforce identity provider.

    Type

    Member.

  4. From Type, click Add.

    The External IdP Groups page from Access Management

  5. Save your changes.

    The SSO users associated with the group you designated are assigned to the team.

Step 4: Test the SSO Configuration

Verify that the SSO for the portal is configured properly.

  1. Open an incognito window in a browser and go to your API Experience Hub portal.

  2. Select the SSO option that you configured.

  3. Log in with a user that belongs to the group you configured in the identity provider for your portal.

  4. Check the visibility of APIs for the user in the portal.

  5. Go to Access Management and select Users.

  6. Search using the username to confirm that the user is mapped to the expected identity provider.

  7. Go to the team with the configured group mappings.

    From the Members tab, ensure that you can see your user there.

See Also