Connecting Your APIs with MuleSoft and Salesforce Identity
At their Dreamforce 2018 breakout session, Chuck Mortimore and Ashley Jose show some love for securely connecting users with data using Salesforce Identity and Mulesoft.
What’s MuleSoft again?
If you attended Dreamforce 2018, it was hard to miss MuleSoft. Considering the Integration Keynote: MuleSoft Connects Every App, Data and Device, multiple breakout sessions, and various booths, the MuleSoft Anypoint Platform was well represented. But in case you missed Dreamforce 2018 or you just need a refresher, here’s a brief overview of what the platform is and what it does.
The MuleSoft Anypoint Platform is a single, unified platform for connecting data, apps, and devices. With MuleSoft Anypoint Platform, you can design, deploy, manage, and secure APIs to unlock data distributed across resources, such as SaaS apps or on-premise servers. MuleSoft also offers increased operational efficiency. For example, you can reuse Customer Support’s order fulfillment status API to provide the Marketing department with customer purchasing history. To learn more, check out Getting Started with MuleSoft: A Quick Start Guide for Salesforce Developers.
MuleSoft and Salesforce Identity: Better together
Yes, MuleSoft Anypoint Platform rocks, but it’s even better when combined with the protection of Salesforce Identity — which is what Salesforce uses to secure CRM connections between customers, partners, and employees. Salesforce Identity is a composite of technologies (such as mobile-first identity, two-factor authentication, and single sign-on) that registers, authorizes, and recognizes users across digital channels. So when you combine MuleSoft Anypoint Platform with Salesforce Identity, you can securely connect customers, partners, and employees to the data they need to complete their jobs.
How do I build it?
By combining the awesomeness of MuleSoft Anypoint Platform with the superhero security of Salesforce Identity, you can safely expose your API assets and build accessible and reusable API networks. Follow these steps to configure Salesforce Identity with Mulesoft Anypoint Platform.
Step 1: Configure Salesforce to protect data stored in Anypoint Platform.
Start by calling Salesforce Customer Support to activate dynamic client registration and token introspection. Also, request an initial access token, which you’ll use in step 2. (Spoiler alert: These features will be generally available and you’ll be able to generate an initial access token in a future release.)
Set up single sign-on (SSO), with either SAML or OpenID Connect, using Salesforce as the identity provider. With SSO, your users can log in to Salesforce and access MuleSoft without a separate MuleSoft login.
Create an OAuth 2.0 connected app that integrates MuleSoft with Salesforce. You use the MuleSoft connected app to automatically create additional child connected apps in Salesforce. The child connected apps are needed for consumers to access data. (We’ll talk more about this process below.)
Mulesoft Anypoint Platform connected app created in Salesforce
Finally, configure the dynamic client registration and token introspection endpoints. The MuleSoft parent connected app sends a request to the dynamic client registration endpoint to create a child connected app. The token introspection endpoint allows the MuleSoft parent connected app to check the current state of an OAuth 2.0 access or refresh token for itself or any of its child apps.
Step 2: Configure Anypoint to trust Salesforce.
In MuleSoft Anypoint Platform, click Access Management | External Identity. Define the following parameters to identify Salesforce as an external identity provider:
- In Client Registration URL, enter the Salesforce dynamic client registration endpoint. Use this format: https://hostname/services/oauth2/register
- In Authorization Header, register the initial access token (see step 1).
- In Client ID, enter the unique consumer key generated in Salesforce for your MuleSoft parent connected app.
- In Client Secret, enter the consumer secret generated in Salesforce for your MuleSoft parent connected app.
- In Authorize URL, enter the Salesforce authorization endpoint. Use this format: https://login.salesforce.com/services/oauth2/authorize
- In Token URL, enter the Salesforce URL for token requests. Use this format: https://login.salesforce.com/services/oauth2/token
- In Token Introspection URL enter the Salesforce Token Introspection endpoint. Use this format: https://hostname/services/oauth2/introspect)
Registering Salesforce as an external identity manager in MuleSoft Anypoint Platform
For step-by-step instructions, hop over to MuleSoft Help topic about configuring OpenID Connect dynamically. For more information about Salesforce OAuth endpoints, see Understanding OAuth Endpoints.
Step 3: Protect and deploy your APIs.
In MuleSoft’s API Manager, you can create an API gateway to control access to your APIs through policies. Configure the OpenID Connect Token Enforcement policy to require that consumers provide a valid token (which Salesforce provides upon client registration) to access the asset protected by the API gateway.
And don’t forget to head over to API Designer to build your APIs and publish them to Anypoint Exchange.
Step 4: Sit back and relax.
Now that you’ve configured Salesforce Identity and MuleSoft to protect your API assets and deployed your APIs to the portal, let’s see it all come together with this example.
A customer logs in to your Salesforce community to check the status of a recent snowboard order. Instead of filing a case, the customer clicks a new Order Status button to see how close the snowboard is to being delivered. Here’s what happens behind the scenes.
- The Order Status button calls a web service this is configured via an External Service, which is part of a flow that is embedded in the community. So users run the flow by clicking the Order Status button.
- During runtime, the External Service, acting as the API consumer, queries the API Gateway. In the Gateway, the External Service discovers an API Order Status asset containing data about customer orders. The External Service requests access to the API Order Status asset. (For information about how this external service is configured, watch the recorded session starting nine minutes into it.)
- The MuleSoft OAuth 2.0 parent connected app sends a POST request to the Salesforce dynamic client registration endpoint, requesting to create a connected app for the External Service.
- Salesforce verifies the initial access token in MuleSoft’s POST request authorization header and creates the child connected app. Salesforce then sends back a response with a client ID and client secret for the new connected app.
- The External Service (now a registered connected app) makes a call to the API gateway with its new client ID and client secret. The gateway intercepts the call and engages an OAuth flow. The gateway sends a call to the Salesforce token introspection endpoint to ensure that the new client’s access token is valid.
- Salesforce verifies that the access token is valid, and the API gateway gives the External Service access to the API Order Status asset.
- The External Service pulls back the data for this customer’s order and sends a response.
All this happens within a few seconds after the customer clicks Order Status, and it’s good news: The snowboard has shipped! Even more good news: The customer was able to self-serve because MuleSoft and Salesforce securely connected them to the data that they needed.
High-level architecture for combining Salesforce Identity with Mulesoft Anypoint Platform.
See it for yourself
To see how the feature in the example was configured, along with the high-level steps covered here, watch the recording of this session from Dreamforce 2018.
Want to learn more about MuleSoft? Take the Build Great APIs and Integrations with MuleSoft trail.
Want to learn more about Salesforce Identity? Check out the Secure Identity and Access Management trail and its Identity for Customers module.