SAML 2.0 single sign-on (SSO) scenarios
MindTouch supports SAML 2.0 SSO with HTTP redirect-POST binding:
- Authentication requests from the service provider (SP) to the identity provider (IdP) are sent as an HTTP redirect.
- Responses or requests from the IdP to the SP are expected to be sent as HTTP Post.
SP-initiated SSO is a scenario in which the user initiates the sign-on process in the application (e.g., MindTouch) either actively or passively and is authenticated by the IdP.
- Active SSO: User signs into MindTouch by clicking the Sign In link
- Passive SSO: User visits a private page or file attachment they cannot access without authentication
- IdP authentication: Both active and passive SSO send users to the IdP for authentication
IdP-initiated SSO is a scenario in which the user is using an internal application such as Salesforce and has already authenticated with the IdP. Users click on a link to the MindTouch site to begin an SSO session. If needed, a new user is created in MindTouch (or the existing user is found), and the user is logged in.
SAML 2.0 single logout (SLO) scenarios
In addition to SSO, MindTouch supports SAML 2.0 single logout (SLO) with HTTP redirect-redirect binding. SLO allows a MindTouch user to click the Sign Out button on a MindTouch site, which signs the user out of both MindTouch and the IdP.
While SLO is optional, it is highly recommended for private MindTouch sites. Without SLO, signing out of a MindTouch site redirects the user to the SAML SSO authentication provider, which maintains the SSO session. In effect, it creates a scenario where the user cannot sign out without signing out of the SAML SSO authentication provider first, creating a confusing experience.
User-initiated logout (MindTouch): The user actively clicks the sign-out link in MindTouch. The user is signed out of MindTouch.
User-initiated logout (other application): If the IdP and all SPs in the federated SSO session are configured correctly and the user signs out of any other application in the federated SSO session, MindTouch receives a sign-out request from the IdP and signs the user out of MindTouch.