Loading

ACM Advanced Configuration guide - How to Configure Impersonation with existing external identity on Anypoint

Udgivelsesdato: Mar 2, 2024
Trin
Impersonation links each Salesforce Community member to a single Anypoint user. The user is then used to connect to Anypoint and Community users and their client applications, so that applications are created under the correct Anypoint user, and actions in audit logs are recorded accurately.  Impersonation uses SAML, and it requires an Identity Provider (IdP) to be configured in both Anypoint Platform and Salesforce organizations.

Generate key pair using Salesforce

  1. Go to Setup (in Salesforce)
  2. Click on Certificate and Key Management
  3. Click Create Self-Signed Certificate
    1. Use ImpersonationKey for Label, and for Unique Name.
    2. Make sure that Exportable Private Key is selected.
    3. Click Save
  4. After the certificate gets created, click on Download Certificate.
  5. Go back to the previous screen, and click Export to Keystore. 
  6. Pick any passphrase you want

How To Attach a Public Key to the existing IdP configuration

Since there is no UI for performing this step, this will need to happen via API call. If you subsequently modify the IdP configuration via the UI, this will break the configuration and it will need to be recreated.  
DANGER: Also, it is recommended to have an Org Admin which isn’t on the IdP and can access the org in case you make a typo. Making a typo here will destroy your IdP configuration and therefore render the platform unable to authenticate users via IdP. 
Please keep the result of the steps in this documment until you find everything works fine. So that you will be able to look back what was done in case if you see any issues.
1. Obtain an Access Token for performing API calls 
    POST /accounts/login HTTP/1.1
    Host: www.anypoint.mulesoft.com
    Content-Type: application/json
    cache-control: no-cache
    {
        "username": "<YOUR USERNAME>",
        "password": "<YOUR PASSWORD>"
    }
2. Obtain IdP configuration. 
GET /accounts/api/organizations/<YOUR_ORG_ID>/provider/users HTTP/1.1
Host: anypoint.mulesoft.com
Authorization: Bearer 
cache-control: no-cache
3. Update your IdP configuration. You need to modify the previously obtained configuration, until you have something similiar to the configuration below. 
{
    "allow_new_non_sso_users": true,
    "saml": {
        "issuer": ...,
        "public_key": ...,
        "audience": ...,
        "claims_mapping": {
            "firstname_attribute": "FirstName",
            "lastname_attribute": "LastName",
            "email_attribute": "Email",
            "group_attribute": "Role"
        },
        "name": "SAML 2.0"
    },
    "service_provider": {
        "urls": {
            "sign_on": ...,
            "sign_out": ...
        },
        "name": "SAML Service Provider"
    },
    "type": {
        "description": "SAML 2.0",
        "name": "saml"
    }
}
4. We need to perform a few JSON modifications to that response. First of all wrap the entire thing in another JSON object and insert an identity_management field, it should now look like this - 
{
	"identity_management": {
    	"allow_new_non_sso_users": true,
    	"saml": {
        	"issuer": ...,
        	"public_key": ...,
        	"audience": ...,
        	"claims_mapping": {
            	"firstname_attribute": "FirstName",
            	"lastname_attribute": "LastName",
            	"email_attribute": "Email",
            	"group_attribute": "Role"
        	},
        	"name": "SAML 2.0"
    	},
    	"service_provider": {
        	"urls": {
            	"sign_on": ...,
            	"sign_out": ...
        	},
        	"name": "SAML Service Provider"
    	},
    	"type": {
        	"description": "SAML 2.0",
        	"name": "saml"
    	}
	}
}
5. After this,  we need to modify the public_key field to become an array from a string. The first element of that array needs to be the same value from the response - the current key used by the IdP you have configured. The second key is the one that was generated on Salesforce; you will need to take the value from the downloaded CRT file and insert this into the JSON, like this: 
{
	"identity_management": {
    	"allow_new_non_sso_users": true,
    	"saml": {
        	"issuer": ...,
        	"public_key": [
            	"CURRENT KEY",
            	"NEW KEY FROM CRT FILE"
        	],
        	"audience": ...,
        	"claims_mapping": {
            	"firstname_attribute": "FirstName",
            	"lastname_attribute": "LastName",
            	"email_attribute": "Email",
            	"group_attribute": "Role"
        	},
        	"name": "SAML 2.0"
    	},
    	"service_provider": {
        	"urls": {
            	"sign_on": ...,
            	"sign_out": ...
        	},
        	"name": "SAML Service Provider"
    	},
    	"type": {
        	"description": "SAML 2.0",
        	"name": "saml"
    	}
	}
}
6. Now that you have your modified payload it is time to send it back. 
PUT /accounts/api/organizations/<YOUR_ORG_ID>/provider/users HTTP/1.1
Host: anypoint.mulesoft.com
Authorization: Bearer <YOUR TOKEN>
Content-Type: application/json
cache-control: no-cache
Remember to also send the JSON you modified with that PUT.

Configure and authorize the OData bridge to perform impersonation.

This requires a private key or a certificate, and a keystore (JKS) containing that key or certificate. Use the same certificate that Salesforce IdP uses.
  1. In Salesforce Setup, search for Certificate and Key Management using the Quick Find box and click Certificate and Key Management
  2. Click Export to Keystore in the Certificates section
  3. Enter a new Password
  4. Click Export
  5. Log in to your Anypoint organization
  6. Go to Access Management → Environments, click Add Environment and provide this information
    1. Set Environment Name to ACM
    2. Click Production
    3. Click Create
  7.  Go to Users and open your user.
    1. Click Secrets Manager
    2. Set Environment to the newly created environment ACM
    3. Select all permissions in Permissions
    4. Click the plus button
  8. To apply these changes, log out and then log back in
  9. Go to Secrets Manager and select the ACM environment using the environment switcher
  10. Click Create Secret Group and enter this information
    1. Set Name to Certificates
    2. Click Secret Group Downloadable
    3. Click Save
    4. Click Keystore
    5. Click Add Keystore
    6. Provide this information
      1. Name: Enter Impersonation
      2. Type: Enter the type of your keystore, which is typically JKS
      3. Keystore File: Choose your keystore file, which is typically the file you exported from Salesforce
      4. Keystore Passphrase: Enter the exported Keystore
      5. Alias: Choose the corresponding alias to your key or certificate
      6. Key Passphrase: Create a new Passphrase
      7. Click Save
    7. Click Secret Groups, click Finish on the recently created secret group, and confirm the operation
For detailed information about creating secret groups and adding certificates, refer to Create a Secret Group (Anypoint Platform) 

Map Community user to Anypoint role

  1. In your Anypoint Platform organization, navigate to Access Management and click Roles
  2. In Exchange Viewer, set a new External group called Community User and save it
  3. Finally, reauthenticate the External Data Source within ACM to complete the process.
Vidensartikelnummer

001117205

 
Indlæser
Salesforce Help | Article