Which attributes can Oracle IDCS send to MuleSoft in the SAML assertion?

In this article the attributes added in the IDCS Attribute Configuration are email, firstname, lastname, and Groups. These are the attributes that IDCS sends inside the SAML assertion and that MuleSoft maps into its own attributes; if your table is empty you need to add the needed attributes yourself.

How do I map an Oracle IDCS group to a MuleSoft role?

First create a group in the IDCS console and assign your user to it, taking note of the group name. Then in MuleSoft Anypoint Platform go to the Roles section, click the role (here Cloudhub Admin Sandbox), click "Set external group mapping", type the group name you created at IDCS, choose the Identity Provider, click the add button, and finally click Save.

Why would I map groups to roles instead of assigning MuleSoft roles directly?

Because your users are created and assigned to groups in your Identity Provider, which is the natural place to manage them. By mapping those groups to MuleSoft roles, once a user logs in through the Identity Provider and is authenticated and authorized, they already have their roles assigned and can start working on their duties without you assigning roles directly in MuleSoft.

How do I control which IDCS groups are returned to MuleSoft?

For the Groups attribute the article sets it to Group Membership with the All Groups option selected, which returns all groups the user is a member of. The group filter dropdown also offers Equals and Starts with options, so users can belong to multiple IDCS groups while you filter to return just the ones the application needs; the article returns all of them to keep things practical.

What changes for the user after the attribute and group mapping is configured?

Before the configuration the Oracle IDCS user showed as "unknown unknown" with only the email mapped and only the Cloudhub Admin Design role. After the next login the SAML response from IDCS returns firstname, lastname, email, and the list of groups, so the user's name information is populated and the additional Cloudhub Admin Sandbox role is assigned alongside the Design role.

Anypoint Platform Single Sign-on (SSO) SAML Configuration with Oracle IDCS - PART 2

Ourlast article was about how to integrate MuleSoft Anypoint Platform with Oracle Identity Cloud Services. With this, you can use Oracle IDCS as your Identity Provider. This is very useful for Single Sign-On purposes, and if you already have Oracle Cloud Infrastructure and you are using MuleSoft to integrate it with Oracle SaaS apps, this alternative for SSO should be a good fit for you.

In our last article, we mentioned that we would have a second part where we explain how to map attributes, such as

Email
First name and Last name
Telephone Number
Groups
Etc

Your users are part of Oracle Identity Cloud Services. Some of those users need to enter to MuleSoft Anypoint Platform to perform different activities, like

Design APIs
Browse Exchange
Deploy Applications
Manage your organization

But you don’t want to assign those roles directly on MuleSoft, you want to have that information coming from your Identity Provider; at the end that is the place where you create your users and assign groups. So, it is natural to think that the user is already assigned to groups that can be mapped to your MuleSoft roles. Once the users log in to MuleSoft, through the Identity Provider and it Authenticates/Authorizes them, and finally are able to get into MuleSoft, the expectation is that the users are already assigned to their roles and start working with their duties.

Well, that is something that you can configure between MuleSoft and Oracle IDCS.

Let’s get back to the IDCS console and create a group:

Oracle IDCS Groups list with the Add button highlighted to create a new group

We just need to click on the Add button and create a group:

Add Group step 1 naming the group CloudhubAdminSbx with a description

We are naming the user: CloudhubAdminSbx, and giving a brief description. Then click on Next and let’s assign a user:

Add Group step 2 assigning the user Rolando Carrasco to the new group

In this case, it is me: rcarrascogb2@me.com. Then just click on Finish.

What we have done is to create a new group (take a note of the name because we will use it later to map it inside MuleSoft Anypoint Platform), and we are assigning a user to it.

Now let’s get back to our Application inside IDCS (the one we configured in our previous article), to map attributes and groups. Let’s do it.

IDCS Mule application SSO Configuration page with Attribute Configuration highlighted

In the Attribute configuration, click on it and you will see something like this:

IDCS Attribute Configuration table mapping email, firstname, lastname, and Groups

Your table may be empty and you will need to add the needed attributes, in my case:

email
firstname
lastname
Groups

Those are the attributes that will be sent from IDCS to MuleSoft inside the SAML assertion and MuleSoft will map into its attributes. Take a look at the names, and get back to MuleSoft Anypoint Platform console to the Access Management menu:

Anypoint Access Management Identity Providers list showing Anypoint and Oracle IDCS

We created this configuration in our previous article, click on it. Go almost at the bottom of that page:

Anypoint IdP advanced settings with first name, last name, email, and group attribute fields

Those names are mapped into MuleSoft and they need to match. In IDCS those fields are going to be filled with the user information. If we zoom in to the configuration at IDCS you will see this:

IDCS attribute table with Name, Format, Type, and Value columns color-boxed for emphasis

In orange are the attributes that we want to return, in purple are the format in this case basic. In blue is the type of attribute and finally the value that IDCS will populate on them in red. And for the groups in specific we’ve configured it like this:

Groups attribute set to Group Membership with the All Groups option selected

We are returning all the groups that the user is a member of. We have other options, like:

Group filter dropdown open showing Equals, Starts with, and All Groups options

That means that our users can be assigned into multiple IDCS groups, but we can filter them to return just the ones the application needs. For this article, and to be practical, we are returning all of them.

Everything is in place, our user (rcarrascogb2@me.com) can try to log in to MuleSoft, and not only that will make it through, but at the same type, depending on the list of groups where the user belongs, it will map it into MuleSoft roles.

But the question is: how does MuleSoft know that those group names (which by the way are arbitrary) are getting mapped with their roles? Just go to MuleSoft Anypoint Platform, and go to the Roles section:

Anypoint Access Management Roles list including Cloudhub Admin (Sandbox)

Click on the group Cloud Admin (Sandbox) and you will see this:

Cloudhub Admin (Sandbox) role page with the Set external group mapping link highlighted

Click on “Set external group mapping”, and you will see this:

External IdP Groups dialog mapping group CloudhubAdminSbx to the Oracle IDCS provider

Type the group name that we’ve created at IDCS, choose the Identity Provider, and finally click on the add button.

External IdP Groups dialog after the CloudhubAdminSbx Oracle IDCS mapping is added

Click on Save.

Before testing it, let’s get back to MuleSoft Anypoint Platform, and review the user information:

User Roles tab listing only the Cloudhub Admin (Design) role before login

The user has only that role assigned. But now, after his next login, it will have an additional role (Cloudhub Admin (Sandbox)).

Also, as we saw in our previous article, the user did not have the attributes being mapped:

Users list showing the Oracle IDCS user as "unknown unknown" with only an email mapped

No name (firstname and last name), just the email was mapped. Now the new configuration will populate that information as well as the group.

Let’s see this action, let’s try to log in:

Anypoint Platform sign-in page with a "Continue with Oracle IDCS" button

Click on Continue with Oracle IDCS:

Oracle Cloud login page (in Spanish) with the user's email and password filled in

After we click on login, let’s capture the SAML response from IDCS:

Captured SAML response XML with the firstname, lastname, email, and groups attributes

In pink, you can see that the firstname attribute was returned by Oracle IDCS. With orange (and highlighted in red), you can see the list of groups, including the one we created previously. And in blue we also see the lastname and email attributes being returned.

Now, if we go to the Roles section of the user rcarrascogb2@me.com, we will see that the role has been assigned:

User Roles tab now listing both Cloudhub Admin Sandbox and Design roles after login

With this, you can provision users into your Identity Provider, assign groups at that level and then map them into MuleSoft.

I hope this is useful for you.

Anypoint Platform Single Sign-on (SSO) SAML Configuration with Oracle IDCS - PART 2

FAQs

More from this series