Skip to main content

Authenticating users to maximize site security

This page applies to:MindTouch Responsive

This best practice article provides guidance on authenticating MindTouch users to maximize site security and ease user management via SAML single sign-in (SSO).
 

SAML SSO scenarios are not trivial integrations to set up, test and deploy. Your organization will likely require an IT administrator with knowledge of SAML SSO to successfully deploy a SAML SSO solution. MindTouch-supported SAML SSO vendors such as OneLogin and Salesforce simplify the configuration required by your organization to deploy SAML SSO.

 

Terminology


SAML Security Assertion Markup Language (SAML) is a preferred single sign-on (SSO) authentication protocol that allows users to access multiple applications at a single point of authentication.
SSO Single sign-on (SSO) is an authentication process that allows users to use one set of login credentials to log into multiple applications.
IdP An identity provider (IdP) is a service for creating, managing and storing a user‘s authentication credentials (i.e. username, password, group assignments, roles, etc.)
SP The service provider (SP) is the owner or provider of the application the user wants to access (e.g. MindTouch).
Authentication request A request from the SP to the IdP, made on behalf of the user after they initiate a sign-on session. MindTouch initiates the sign-on when a user clicks the Sign in link or attempts to visit a protected resource such as a private page or file attachment.
Assertion An XML document, either part of an IdP response to an authentication request or an IdP unsolicited request to sign a user into an SP that contains the metadata required to sign on or create a user on the SP.

 

Authentication options


Although MindTouch offers several authentication options, the following are the most common:

  • SAML SSO authentication (recommended)
  • MindTouch local authentication (default)  
     

Why is SAML SSO recommended for authentication?


  • Security. Since SAML provides a single point of authentication at a secure identity provider (IdP), user credentials never leave the firewall boundary and the many applications used throughout your company do not have to store and synchronize identities, minimizing potential breach points.
  • Improved online user experience. SAML allows users to securely access multiple applications with a single login, simplifying the everyday workflow.
  • Platform neutrality. The SAML protocol interoperates with any system independent of implementation, reducing interoperability issues associated with vendor-specific approaches.
  • Reduced administrative costs for service providers. The burden of authentication users across multiple applications is transferred to the IdP with a single act of authentication, reducing the account management costs.
  • Risk transference. SAML can act to push responsibility for proper management of identities to the identity provider, which is more often compatible with its business model than that of a service provider.

Sources:  https://www.oasis-open.org/committees/download.php/11785/sstc-saml-exec-overview-2.0-draft-06.pdfhttp://www.forumsys.com/saml/three-benefits-of-using-saml/
 

Prerequisites


How do I set up SAML SSO for MindTouch?


If you are working with any of the following IdPs, follow the guided paths below to set up SAML SSO for MindTouch:

Salesforce logo

Salesforce

Follow the steps below, to set up SAML SSO authentication for MindTouch with Salesforce:

SAML SSO with Salesforce
This path guides users on how to set up SAML single sign-on (SSO) authentication for MindTouch using Salesforce as the identity provider.
Pages: 5

ADFS logo
ADFS

Follow the steps below, to set up SAML SSO authentication for MindTouch with ADFS:

SAML SSO with ADFS
This path guides users on how to set up SAML single sign-on (SSO) authentication for MindTouch using ADFS as the identity provider.
Pages: 3

PingOne logo
PingOne

Follow the steps below, to set up SAML SSO authentication for MindTouch with PingOne:

SAML SSO with PingOne
This path guides users on how to set up SAML single sign-on (SSO) authentication for MindTouch using PingOne as the identity provider.
Pages: 3

OneLogin logoOneLogin

Follow the steps below, to set up SAML SSO authentication for MindTouch with OneLogin:

SAML SSO with OneLogin
This path guides users on how to set up SAML single sign-on (SSO) authentication for MindTouch using OneLogin as the identity provider.
Pages: 3

 

Need further help?


If you are interested in setting up SSO with your SAML 2.0 authentication provider and need additional help, don't hesitate to contact the MindTouch Support team.