Skip to content

Authenticating the federated users within your organization to access a MuleSoft API & Resources

API Strategy with MuleSoft

Mapping of Federated user within your organization is done by setting the external group mapping in any MuleSoft Anypoint Platform Role. If you want to use such a user to call the platform API, you need to have a valid access token. The steps below would guide you step by step to retrieve the access token for such federated user with an example.


1. Open the Browser Developer Tool. Here in this case I am using Google Chrome. Click “Customize and Control Google Chrome” >> “More Tools” >> “Developer Tools”
Developer tool
2. Prepare the URL<<Domain_Name>> In case the control plain is hosted in EU:<<Domain_Name>>


NOTE: Domain name can be obtained as
Anypoint Platform >> Access Management >> Organizations >> yourMasterOrg, and copy the domain name.

3. Enter the URL in the same Session/Tab where Developer Tool is open. It will be redirected to your IDP’s Single Sign on Page. Enter the IDP Credentials and authenticate yourself.

Copy the SAMLResponse as highlighted above. This SAMLResponse will be used to obtain the Bearer Token.

4. Get the IDP ID: “Access Management” >> “Identity Providers” >> “SAML” >> edit >> “Configuration”

5. Use the Command below to get the bearer token:

curl –location –request POST ‘<Org-ID>/providers/<Provider-ID>/receive-id’ \
–header ‘Content-Type: application/json’ \
–header ‘X-Requested-With: XMLHttpRequest’ \
–data-raw ‘{
    “SAMLResponse”: “<SAML_RESPONSE>”

6. After obtaining the bearer token federated users within your organization can use it to access an API. For example, you can access the API using one of the following methods:

Anypoint CLI: A user can access a platform API by supplying the -bearer option to the anypoint-cli command. See Anypoint CLI for more information.

curl: A user can access a platform API by passing the bearer token when accessing an API endpoint as shown in the following

Example: Get the VPN Tunnel Status

curl –location –request GET ‘<Org-ID>/vpcs/<VPC-ID>/ipsec/<VPN-ID>\’ \
–header ‘Authorization: Bearer 52e94424-ccf62fd57612’ \

NOTE: if the User tries to access something which isn’t allowed by his designated role/permission then API will return 401 unauthorized error.

NOTE: Validity of the bearer token is as per the Default Session timeout property. For More Information. Check Organization Settings


Need help with setting up or optimizing your MuleSoft Anypoint platform? Our 75+ Certified MuleSoft experts have around 25 years of integration experience and can guide you in the most difficult challenges. Contact us to learn more.