Mulesoft + WSO2 Identity Server SAML SSO
Introduction
In this article, I am going to explore how to configure SAML SSO between the Anypoint Platform and WSO2 Identity Server.
Necessary Softwares
You will need the below software for this demo:
- An Anypoint Platform account
- WSO2 Identity Server (https://wso2.com/identity-server/#)
- SAML Tracer plugin (Firefox/Chrome)
Article Division
I will divide the article into the below sections:
Configure WSO2 Identity Server
Configure Anypoint Platform
SAML debugging
Conclusion
Configure WSO2 Identity Server
Download & Run
WSO2 Identity Server is an Open Source free product (I am a former employee of WSO2). You can download it from the link. I have chosen the 5.11.0 version.
I have downloaded the zip version of the product. Extract the product and navigate to the bin directory.
wso2is-5.11.0/bin
Execute the below shell script:
sh wso2server.sh
And done. It will take some time and the WSO2 Identity Server will be up & running.
Create a user in the WSO2 Identity Server
Browse the following link, https://localhost:9443/carbon/
Username: admin
Password: admin
Click Users and Roles → Add → Add New User
Provide Username & Password:
Select a Role for the user. It's related to the WSO2 Identity Server and don't worry about it at this moment.
Click Finish and you are done. Now you can list the users.
Now, click the User Profile link at the rightmost corner of the user created. Fill up this form with some dummy data.
For the sake of simplicity take note of the Country field. We will use this field to send the Group to map in the Anypoint Platform. But, in the real-life scenario, we can add custom claims for it and that's out of the scope of this article.
For now, let's fill Mule_Admin in the Country field. Let's assume that the user belongs to this group. Update and done.
Configure Service Provider in WSO2
Click Service Providers → Add
Give it some name (e.g mule-sp) and click Register. You will land on this next page:
Click Inbound Authentication Configuration → SAML Web SSO Configuration → Configure
Fill out this form as shown below:
For Assertion Consumer URLs, add any URL at this moment. We will change it later.
Fill in the later part of the form as shown below,
Enable Attribute Profile → Include Attributes in the Response Always is important.
Register and done.
Click the Download IDO Metadata button and it will download the necessary metadata to configure in Anypoint Platform.
Claim Configuration
This is the most important part. You must send some necessary attributes/claims of the user to the Anypoint Platform for SSO. In the service provider created expand the Claim Configuration section:
Click Define Custom Claim Dialect → Add Claim URI and add/map the below claims:
Below are things that happened here:
I have mapped the country attribute/claim of the user to ROLE claim of the SP.
Subject Claim URL , I have set to EMAIL claim of the SP. It's important because Anypoint Platform needs a mandatory email attribute.
Also, I said that the role/group/profile (or whatever else) of the user is mapped to the ROLE claim of the service provider.
Configure Anypoint Platform
In the Anypoint Platform, let's create a SAML 2.0 IDP.
Now choose the downloaded metadata.xml and import it. Most of the configurations will be automatically done for you.
Now pay attention to the below diagram. It includes all the necessary config you must do in the Anypoint Platform.
Now, save the configuration.
Now open the wso2-idp and check that an ACS URL is created for us.
Now, copy this URL and go to WSO2 Identity Server, and edit our Service Provider:
Role mapping
I believe you still remember that the user has a role.
Now this Mule_Admin role must be mapped in the Anypoint Platform. It's easy. I believe you have some teams created in Anypoint. Now just map the role as shown below:
Save changes and we are done. Phew!!!
SAML debugging
Get the External IDP sign-in URL from the Access Management → Identity Providers page and let's try it on Firefox.
Keep the SAML Tracer plugin running to capture the requests.
Select the wso2-idp
And wow! We have landed on our WSO2 Identity Server SAML SSO page. Note that our WSO2 Identity Server is on our local machine.
Just log in with the user created in the WSO2 Identity Server and voila,
We have successfully logged in to the Anypoint Platform.
Now let's check the SAML data in the SAML Tracer.
Check that all the mapped claims/attributes/fields in the WSO2 Identity Server are coming in the SAML Response.
Now you know where to troubleshoot if your SAML SSO is not working.
Conclusion
In this article, I have given an overview of how to configure SAML SSO between the Anypoint Platform and the WSO2 Identity Server. This configuration is almost the same for any other IDP. Hope it has helped my readers to understand the concepts.
Happy learning!!!