SP or IDP Initiated URL Used in SAML Based Identity Provider Configuration for Mulesoft Access Management

From our documentation on setting up SSO, you will find the following instructions regarding the two configurations on using an SP or IDP-initiated URL in Mulesoft Anypoint Platform.

Single Sign-On Initiation

Specify whether SSO can be initiated by the Anypoint Platform, your identity provider (for example, Okta), or both.

The Service Provider Only option allows only the Anypoint Platform to initiate SSO.

The Identity Provider Only option allows only your external identity provider to initiate SSO.

The Both option allows either Anypoint Platform or your external identity provider to initiate SSO.

The default value for this setting for newly configured identity provider configurations is Both.

SOLUTION

If your IDP metadata file or the SAML coming from IDP has two sign-on URLs, that means they support both IDP and SP-initiated SAML. One URL is the IDP-initiated sign-on URL and the other is the SP-initiated sign-on URL.

The example below is from Salesforce IDP metadata:

IDP Initated 
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
Location="https://abc.my.salesforce.com/idp/endpoint/HttpPost"/>

SP Initiated
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
Location="https://abc.my.salesforce.com/idp/endpoint/HttpRedirect"/>

• In Anypoint configuration, if "Both" is selected, then the sign-on URL should be the SP-initiated URL. Anypoint always uses SP-initiated URL when both are selected 
  • SP-Initiated SSO Using IDP-Initiated SSO URL Fails with Unauthorized Error
• In  Anypoint configuration, if "SP initiated"  is selected, then the sign-on URL should be the SP-initiated URL.
• In  Anypoint configuration, if "IDP initiated"  is selected, then the sign-on URL should be the IDP-initiated URL.