Contact Us 1-800-596-4880
  1. Homepage
  2. API Experience Hub
  3. Managing Your Portal
  4. Enabling Single Sign-On for Your Portal

  5. Configuring SSO When the Identity Provider Is Already Configured for Anypoint Platform

Configuring SSO When the Identity Provider Is Already Configured for Anypoint Platform

This use case includes instructions for configuring SSO for the portal using an identity provider already configured for Anypoint Platform. This use case also provides instructions for reconciling the username assignment strategy when the usernames for the portal and Anypoint Platform don’t match.

The instructions in this case are using Okta as an example identity provider however, you can use any identity provider to set up SSO.

Before You Begin

Ensure you have the following setup and context:

  • An identity provider for Anypoint Platform is already configured.

  • The user or the identity of the group of the users who have access to the application have been created in the identity provider.

  • Understand the required roles, permissions, and information that API Experience Hub requires to configure custom user attributes and claims for the identity provider.

    See Before You Begin.

Step 1: Enable SSO for Your Portal

In this step, you create and configure an application in the identity provider for the API Experience Hub portal, enable the ability to send group information in the application configuration, configure groups, and map the application to the identity provider for Anypoint Platform. Performing these steps require you to move back and forth between applications and the identity provider application to copy or add information.

Create and Set Up an Application

Create a new application for the API Experience Hub portal in the identity provider.

  1. In Okta, create an OpenID Connect Web application. For more information, see Create OIDC app integrations.

  2. From the General Settings section, complete the following fields:

    Field Value

    App integration name

    Enter a name for the app.

    Grant type

    Select Authorization Code.

    Assignments

    Select Limit access to selected groups.

    Selected group(s)

    Enter the name of the group who must have access to the application for API Experience Hub and Anypoint Platform.

  3. Verify that your identity provider sends the expected claims listed in the Before You Begin section.

  4. Configure the claims that the application sends.

    For example, for OpenID Connect, configure the groups claim using the following steps:

    1. In the Sign On tab, OpenID Connect ID Token section, click Edit.

    2. From Groups claim type, select Filter.

    3. From Groups claim filter, enter groups.

    4. Select Matches regex for the expression then enter .* for wildcard.

      Groups Claim Filter Example

Configure an Authentication Provider for Salesforce Using OpenID Connect

You set up the auth provider or SSO settings in Salesforce with the identity provider application information.

  1. From the OpenID Connect application, get these configuration values:

    • Client ID

    • Client Secret

    • Authorize Endpoint URL

    • Token Endpoint URL

    • User Info Endpoint URL

  2. In Salesforce, go to Setup.

  3. In the Quick Find box, enter Auth, and select Auth Providers.

  4. Click New.

  5. In the Provider Type field, select OpenID Connect.

  6. Complete the following fields:

    Field Value

    Provider Type

    OpenID Connect

    Name

    Enter a name for the provider.

    Consumer Key

    Enter the client ID from the identity provider.

    Consumer Secret

    Enter the client secret from the identity provider.

    Authorize Endpoint URL

    Enter https://{domainofOktaorg}.okta.com/oauth2/v1/authorize*.

    Token Endpoint URL

    Enter https://{domainofOktaorg}.okta.com/oauth2/v1/token.

    User Info Endpoint URL

    Enter https://{domainofOktaorg}.okta.com/oauth2/v1/userinfo`.

    Default Scopes

    profile openid email groups

    Registration handler

    AEHPortalRegistrationHandler

    Execute Registration As

    Select an administrator user.
    Salesforce Auth. Provider example

  7. Click Save.

Configure the Redirect URIs for the Portal

To configure the redirects, use your 15 digit organization ID and 18 digits org ID and add a URL for each organization ID.

  1. In the Okta application, select the General tab.

  2. Add the following URLs for Sign-in redirect URIs:

Map the Application to the Identity Provider for Anypoint Platform

You must map the identity provider ID with the anypoint_idp_id by adding and configuring a new custom attribute called anypoint_idp_id.

In the case that usernames for the portal and Anypoint Platform don’t match, add another custom attribute called anypoint_username to force an update for existing identity provider users to match the identity in the portal to the users in Anypoint Platform.

To map anypoint_idp_id to with the Anypoint Platform identity provider ID:

  1. In the Okta application, go to Directory > Profile Editor.

  2. Select the portal application that you just configured.

  3. Click Add Attributes to create a new attribute called anypoint_idp_id.

  4. Complete the following fields:

    Field Value

    Display name

    anypoint_idp_id

    Value name

    anypoint_idp_id

  5. Save your changes.

  6. Go to Access Management > Identity Providers and click the identity provider.

  7. From the browser URL, copy the 32 digit ID.

    32 digit located in the browser URL example

  8. Go to Okta > Directory > Profile Editor and click Mappings

  9. Paste the ID into the empty field for the new anypoint_idp_id attribute. The ID must be in quotes.

  10. From the yellow arrow drop-down menu, select Apply mapping on user create and update.

    Example of mapped anypoint_idp_id attribute

  11. Click Save Mappings.

  12. Apply the mappings to all users in the profile.

If the user already exists and logs in to the portal before the anypoint_idp_id is set, the default identity provider AEH Users - ${salesforceOrganizationId} is used. To prevent the user from being duplicated, the user isn’t added to the new identity provider specified in the anypoint_idp_id field.

If the user already exists in Salesforce and uses SSO to log in to the portal, the API Experience Hub Member User permission set is assigned to that user (if no permission set is already assigned).

To reconcile the usernames assignment for a single identity in the portal and Anypoint Platform:

  1. In the Okta application, go to Directory > Profile Editor.

  2. Select the portal application that you just configured.

  3. Click Add Attributes to create a new attribute called anypoint_username.

  4. Complete the following fields:

    Field Value

    Display name

    anypoint_username

    Value name

    anypoint_username

  5. Save your changes.

  6. Click Mappings.

  7. In the empty field of the new anypoint_username attribute, enter String.substringBefore(user.login, "@"). Since Okta usernames are email-based, this expression removes the email domain.

  8. From the yellow arrow drop-down menu, select Apply mapping on user create and update.

    Example of mapped anypoint_username attribute

  9. Click Save Mappings.

Step 2: Add Salesforce Identity Providers

Enable the Salesforce identity provider from the API Experience Hub UI. When the identity provider is enabled, users can log in to the portal using this identity provider.

  1. Go to API Experience Hub > User management.

  2. From the User management page, select the Login settings tab.

  3. From the Single sign-on (SSO) section, scroll down to Add Salesforce identity providers section.

  4. Move the slider to Enabled for the Salesforce identity provider you configured in Okta.

Step 3: Add Group Mappings

When setting up SSO for the portal, your users must have an identity in both Salesforce and Anypoint Platform. SSO users are mapped to teams using their group names. You must map your users to teams using Access Management. API Experience Hub provides an out-of-the-box team called AEH Portal - ${salesforceOrganizationId}_${salesforceCommunityId} that is added automatically as a team in Access Management.

Add group mappings by adding the user to the corresponding profile in API Experience Hub:

  1. Go to Access Management > Teams.

  2. Select AEH Portal Guests > AEH Portal Members.

  3. Select External IdP Groups.

  4. From the Group Name field, enter AEH Members.

  5. From the Provider Name field, select the name of the corresponding Salesforce identity provider.

  6. From the Type field, select Member and click Add.

    Access Management group mapping

  7. Click Save Changes.

    The SSO users associated with the group you designated are assigned to the team.

Step 4: Test the SSO Configuration

Verify that the SSO for the portal is configured properly.

  1. In a browser, open an incognito window.

  2. Go to your API Experience Hub portal.

  3. Select the SSO option that you configured.

  4. Log in with a user that belongs to the group you configured in the identity provider for your portal.

  5. Check the visibility of APIs for the user in the portal.

  6. Go to Access Management > Users.

  7. Search using the username to confirm that the user is mapped to the expected identity provider.

  8. Go to the team with the configured group mappings.

    From the Members tab, Ensure that you can see your user.

See Also