Skip to main content
MindTouch Success Center

SAML SSO Service Provider Endpoints

A list and descriptions of the service provider endpoints used in the SAML SSO and SLO scenarios.

Single Sign-On management moved from the Control Panel to the Integrations section of the Dashboard in Release 2019-03-21. ​​​​​Single Sign-On configuration is now managed through the MindTouch Support Team and viewable on Dashboard > Integrations > Single Sign-On Configuration

Consult the following table, assuming {id}as a placeholder for an identity provider service id. In all cases, if the system cannot find an identity provider service id matching {id}, a HTTP 404 response will be returned. If the matching identity provider service is disabled, a HTTP 403 response will be returned.

The string default can be used in place of any {id}to use the configured default identity provider service.

Sign in endpoints

Endpoint Description

/@app/auth/{id}/login?returnto={url}

Responds with a HTTP redirect to an identity provider single sign on endpoint, with a valid SAMLRequest deflated and encoded in the URL. The optional, URL encoded value of {url}is converted to a RelayState query parameter. If the request cannot be generated due to an error, the user is redirected to the homepage with an error message (public site behavior) or receives a HTTP 403 response (private site behavior).
/@app/auth/{id}/acs The assertion consumer service, receives an encoded SAMLResponse from either an HTTP redirect or POST request. If the SAMLResponse cannot be validated or does not include a successful sign in status, the user is redirected to the homepage with an error message (public site behavior) or receives a HTTP 403 response (private site behavior).

Sign out endpoints

Endpoint Description
/Special:UserLogout Signs the user out of the MindTouch site, and optionally redirects them to the identity provider they signed in with, if SAML SLO (single logout) has been configured. If the request cannot be generated due to an error, the user is redirected to the homepage with an error message.
/@app/auth/{id}/slo

The single logout service, receives an encoded SAMLResponse or SAMLRequest from a HTTP redirect. A SAMLResponse is received after a user has been redirected from the Special:UserLogout endpoint on the MindTouch site, to the identity provider, and back to the MindTouch site. A SAMLRequest is received if an identity provider initiates the sign out process independently.

If the SAMLResponse cannot be validated or does not include a successful sign out status, the user is redirected to the homepage with an error message.

If the SAMLRequest cannot be validated, the requester receives a HTTP 403 response.

Data endpoints

Endpoint Description
/@app/auth/{id}/metadata.xml MindTouch site service provider description metadata. If the metadata cannot be generated due to an error, the requester will receive a HTTP 403 response.
/@app/auth/{id}/x509.crt MindTouch site service provider signing certificate. An empty or missing certificate will return a HTTP 404 response.

 

  • Was this article helpful?