Single Sign-On management moved from the Control Panel to the Integrations section of the Dashboard in Release 2019-03-21. Single Sign-On configuration is now managed through the MindTouch Support Team and viewable on Dashboard > Integrations > Single Sign-On Configuration.
Common SAML SSO Terminology
- Security Assertion Markup Language (SAML) is a preferred single sign-on (SSO) authentication protocol that allows users to access multiple applications at a single point of authentication.
- Single sign-on (SSO) is an authentication process that allows users to use one set of sign in credentials to log into multiple applications.
- An identity provider (IdP) is a service for creating, managing and storing a user‘s authentication credentials (username, password, group assignments, roles, etc.)
- The service provider (SP) is the owner or provider of the application the user wants to access (for example, MindTouch).
- An Authentication request is an HTTP request from the SP to the IdP, made on behalf of the user after they initiate a sign-on session. MindTouch initiates the sign-on when a user clicks the Sign in link or attempts to visit a protected resource such as a private page or file attachment.
- An Assertion is an XML document, either part of an IdP response to an authentication request or an IdP unsolicited request to sign a user into an SP that contains the metadata required to sign on or create a user on the SP.
Why is SAML SSO recommended for authentication?
- Security: SAML provides a single point of authentication at a secure identity provider (IdP). User credentials never leave the firewall boundary and the many applications used throughout your company do not have to store and synchronize identities, minimizing potential breach points.
- Improved online user experience: SAML allows users to securely access multiple applications with a single sign in, simplifying the everyday workflow.
- Platform neutrality: The SAML protocol interoperates with any system independent of implementation, reducing interoperability issues associated with vendor-specific approaches.
- Reduced administrative costs: The burden of authenticating users across multiple applications is transferred to the IdP with a single act of authentication, reducing the account management costs.
Risk transference: SAML can act to push responsibility for proper management of identities to the identity provider, which is more often compatible with its business model than that of a service provider.
- Admin access to your IdP
- Admin access to MindTouch
- Working knowledge of SAML single sign-on (SSO) and single logout (SLO) scenarios
- Understanding of how enabling SAML SSO may affect your implementation or workflows
SAML SSO sessions can occur behind existing VPN or IP-restrictions if enabled for your MindTouch site. See our SAML SSO FAQ for more information on additional security measures.
Collect information from your IdP
To configure the most basic SAML SSO integration, you need the following information from your identity provider (IdP):
- Entity ID (required): The unique identifier for your IdP. MindTouch accepts SAML assertions from this ID only.
- Single sign-on service (required): The SSO endpoint that MindTouch sends authentication requests to.
- Single logout service (recommended): The SLO endpoint that MindTouch sends logout requests to.
- Public X.509 certificate (required): MindTouch uses this certificate to establish trust with your IdP and to verify incoming SAML assertions from the IdP
Enable group synchronization (Optional)
- Create groups within MindTouch before enabling group synchronization
- Familiarize yourself with the behavior of group synchronization
- Provide the following additional details:
- Group attribute name as it will appear in SAML assertions sent from the IdP to the SP
- Group name delimiter character to split the value of the group name attribute into individual group names. If a delimiter character is not provided, the attribute will be treated as an attribute with multiple XML text nodes
Enable service provider message signing or encryption (Optional)
Installing an optional private RSA key and x.509 certificate on the SP will allow the SP to sign authentication requests sent to the IdP, and decrypt assertions received from the IdP. If a private RSA key and x.509 certificate are not provided, the public IdP x.509 certificate will still be used to verify incoming SAML assertions from the IdP.
Contact your MindTouch Account Manager
Your account manager will introduce you to the team providing SAML SSO integration services. Based on the complexity of your integration, you may need to only supply the IdP data described above, or you may work with them on more advanced integrations. The latter may require more involvement with your IdP maintainer or vendor, and additional information.