Ping Federate token exchange with MuleSoft


When your organisation is implemented with Identity federation, accessing Mulesoft’s core API’s would be very much different than the organisation without any id federation.

Below are the steps to get the core api access for organisations with id federations enabled


  1. Start with a client application in the Anypoint Platform. Below is my client.

curl -H “Authorization: bearer be26266a-e5cb-49ad-ad21-12341a7be262”



“client_id”: “622b317fc89b4750a3be8d34ceb8dd11”,

“client_secret”: “OMITTED”,

“name”: “test sso”,

“redirect_uris”: [“,“,


“grant_types”: [




“org_id”: “ee85d185-ed55-419a-8ca0-fda90872691d”,

“user_id”: null



  1. Get a token from the PF for the user. Below is one way to do this.

curl -X POST -d ‘client_id=622b317fc89b4750a3be8d34ceb8dd11&client_secret=OMITTED&username=chris.mordue&password=OMITTED&grant_type=password’ -k






  1. Exchange the PF token for a CS token

curl -X POST -d ‘client_id=622b317fc89b4750a3be8d34ceb8dd11&client_secret=OMITTED&grant_type=urn:ietf:params:oauth:grant-type:exchange_token&token=Q7fU5c3KPoeI1vAdHrVLoeW8hBFM’






  1. Validate the token works with CS and is associated with the user

curl -H “Authorization: bearer 720ebeb3-22eb-4f2f-b796-123bb6dba05e”



“access_token”: {

“access_token”: “720ebeb3-22eb-4f2f-b796-123bb6dba05e”,

“expires_in”: 3527


“user”: {

“id”: “9afbd876-f884-4cb5-8435-fd41d10e55be”,

“createdAt”: “2014-10-17T04:26:41.507Z”,

“updatedAt”: “2014-11-19T23:08:42.017Z”,

“firstName”: “Chris”,

“lastName”: “Mordue”,

“email”: ““,

“phoneNumber”: “111-111-1111”,

“username”: “chris.mordue”,

“enabled”: true,

“deleted”: false,

“organization”: {

“name”: “MuleSoft QA Federated”,

“id”: “ee85d185-ed55-419a-8ca0-fda90872691d”,

“createdAt”: “2014-08-13T22:45:27.593Z”,

“ownerId”: “f4b028f4-d83c-438e-b483-746d9a8fceb6”,

“updatedAt”: “2014-11-20T18:27:48.800Z”,

“clientId”: “c1a6770a52764e2da655de3f07f28f12”,

“domain”: “mulesoft-qa-federated”,

“idprovider_id”: “”,

“properties”: {

“cs_auth”: {

“session_timeout”: 3600000




“properties”: {}





Setting up a HTTPS endpoints – MuleSoft


In order to setup a HTTPS server with Mule a few first steps need to be performed.

  1. First a keystore must be created, this can be done using the keytool provided by Java.
  2. You can find this in the bin directory of the Java installation.
  3. Once located you can then execute the following command to create a keystore:

keytool -genkey -alias mule -keyalg RSA -keystore <name of the keystore>.jks

  1. This will create the named file in the local directory called <name of the keystore>.jks.
  2. It needs to be put into the <MY MULE APP>/src/main/resources directory if being used within a single application. The jre/bin original folder needs to be given full access for the user Anypoint studio running on
  3. Same keystore can be used for all API’s provided the keystore is copied into the resources folder of each project.
  4. Once the keystore is in place the following needs to be added to your mule configuration file:

<https:connector name=”httpsConnector”>

 <https:tls-key-store path=”<name of the keystore>.jks” keyPassword=”<Your Password>”  storePassword=”<Your Password>”/>


  1. This can be achieved from the studio by creating a HTTP-HTTPS connector configuration



  1. If the keystore was in the <MY MULE APP>/src/main/resources directory then you can just specify the name in the path. Otherwise if the keystore was located in the other directory then you will have to specify the path. Since the Cloudhub does not have access to the local directory it is not recommended.
  1. On the listener of the project, Enable the HTTPS and select the HTTPS connector configuration.


  1. On the port parameter of the HTTPS listener, specify “${https.port}”



  1. Please note if you have any other sub flows or other HTTPS calls inside the flow, make sure the HTTPS connector configuration is selected.


Successfully Connect to Oracle package with out paramter from BizTalk using WCF-Oracle adapter


I was handling an interface which has to talk to oracle database package and get a cursor back. I followed the usual procedure to connect to the oracle database.

1. The first problem occurred when connecting to the oracle database using Consume adapter service. It would not accept the user name and password for the oracle database. Even after thorough verification and confirmation about the credentials, Consume adapter service throws error as: Image


After a long struggle, a quick realisation about oracle’s case sensitivity resolved the issue. Whatever your user name is give it in capital letters. That would solve this issue.

2. After the consume adapter wizard, Schemas and binding files were generated. The generated schema had the out parameter as an element inside the schema. So the usual process of mapping the source schema to adapter generated schema and invoke the oracle database resulted in error. The mapping was done between every required fields except the out parameter considering the database is going to send us back the out value. What happened here is the out parameter element itself is not available in the adapter generated schema since we are not mapping anything to that element. Database package would not be successfully executed without the out element in the request schema. I had to explicitly map a nil functoid to the out parameter element in order to populate that field in the database request schema. That solved the error and database package executed successfully and the response was delivered.  Cheers.

Exposing BizTalk Orchestration as WCF


When you have a requirement to expose your orchestration as WCF service, Biztalk gives you two options.


First of all, Orchestration can be exposed as WCF service using these both options. But then what’s the difference?

Publishing schemas as web services allows you to separate the services you publish from the implementation. This this most useful for one-way operations, where a message is published each time the service is called. You can use this for a pure message based
scenario, or you can create orchestrations that subscribe to the messages using direct bound ports. You have more control over the service name and operation names. Whereas in Exposing orchestration as WCF, it is bound to the particular orchestration and whenever there is a change in the orchestration, the process has to be redeployed. So it is always better to expose schema’s as WCF.

When it comes to deploy these kinds of solutions in to production, questions arises as how to deploy the bizTalk stuffs and WCF stuffs. BizTalk Deployment Framework can be used to deploy both using a single MSI.


  1. Expose the schema as WCF in your development environment, get the IIS content and copy in to your solution folder as VDir. Please take care of the length constraints of the path and name.
  2. Change your deployment framework .btdfproj file to accommodate IIS configuration.
  • Make the following values as below





  • Add an item group with IIS configuration details


<VDirList Include=”*”>








  • Add the below target to copy the WCF files in the virtual directory created

<Target Name=”CustomRedist”>

<MakeDir Directories=”$(RedistDir)\GetCustomerSchedule” />

<CreateItem Include=”..\VDir\**\*.*”>

<Output TaskParameter=”Include” ItemName=”SourceFiles” />


<Copy DestinationFolder=”$(RedistDir)\GetCustomerSchedule\%(RecursiveDir)” SourceFiles=”@(SourceFiles)”/>


3. Modify the InstallWizrd.xml file to accommodate the app pool credentials



Enter a domain-qualified account name for virtual directory (HTTP and SOAP) identities.

For Windows Server 2003 (IIS6), ensure this user is in the IIS_WPG group.


<PromptValue />





<PromptText>Enter the password for the account specified:</PromptText>

<PromptValue />




4. Now build the MSI and this MSI will be able to deploy both BizTalk and IIS configurations.