Skip to main content

Configure MindTouch for SAML SSO

This page applies to:MindTouch Responsive

This article provides steps for configuring settings in MindTouch to enable SAML single sign-on (SSO).
 

Terminology


SAML Security Assertion Markup Language (SAML) is a preferred single sign-on (SSO) authentication protocol that allows users to access multiple applications at a single point of authentication.
SSO Single sign-on (SSO) is an authentication process that allows users to use one set of login credentials to log into multiple applications.
IdP An identity provider (IdP) is a service for creating, managing and storing a user‘s authentication credentials (i.e. username, password, group assignments, roles, etc.)
SP The service provider (SP) is the owner or provider of the application the user wants to access (e.g. MindTouch).
Authentication request A request from the SP to the IdP, made on behalf of the user after they initiate a sign-on session. MindTouch initiates the sign-on when a user clicks the Sign in link or attempts to visit a protected resource such as a private page or file attachment.
Assertion An XML document, either part of an IdP response to an authentication request or an IdP unsolicited request to sign a user into an SP that contains the metadata required to sign on or create a user on the SP.

 

Prerequisites


SAML SSO sessions can occur behind existing VPN or IP-restrictions if enabled for your MindTouch site. See our technical SAML SSO notes for more information on additional security measures.

 

How to configure MindTouch for SAML SSO


Step 1:  Collect information from your IdP

To configure SAML SSO in MindTouch, you need the following information from your identity provider (IdP):

  • Entity ID (required). The unique identifier for your IdP. MindTouch accepts SAML assertions from this ID only.
  • Single sign-on service (required). The SSO endpoint that MindTouch sends authentication requests to.
  • Single logout service (recommended). The SLO endpoint that MindTouch sends logout requests to.
  • Public X.509 certificate (required). MindTouch uses this certificate to establish trust with your IdP and to validate incoming SAML assertions from the IdP.

Step 2:  Enable SAML SSO in MindTouch 

  1. Log in to MindTouch as an admin.
  2. Navigate to Site toolsControl panelAuthentication > Single Sign-On > SAML.
  3. Select  Enable Single Sign-On with SAML to redirect all sign-in requests to your SAML SSO login URL.

The Enable Debug & Error Reporting feature is not meant for production use, as it may contain sensitive information.

Step 3:  Download your SP metadata 

Federation Metadata Document. Click this link to access the  SP metadata (available after a valid SAML SSO configuration has been saved). 

Screenshot of configuration settings for metadata

Step 4:  Upload your IdP metadata

Upload Identity Provider Metadata (see image above). Allows you to upload your IdP metadata and pre-populates some or all of the IdP configuration fields on this page. Changes do not take effect until the configuration is saved.

Step 5:  Identify your IdP

Identity Provider Entity ID. Enter the unique identifier for your IdP. MindTouch will accept SAML assertions from this ID only.

Screenshot of configuration settings for IdP entity ID

Step 6:  Manage SSO and SLO endpoints

  • Login URL. Enter the SSO endpoint obtained from your IdP. MindTouch sends authentication requests to this SSO endpoint.
  • Logout URL. Enter the SLO endpoint obtained from your IdP. MindTouch sends logout requests to this SLO endpoint.

Screenshot of configuration settings in control panel for endpoints

Step 7:  Provide your IdP X.509 certificate

Identity Provider X.509 Signing Certificate. Enter the X.509 certificate obtained from your IdP. MindTouch uses this certificate to establish trust with your IdP and to validate incoming SAML assertions from the IdP.

Screenshot of configuration settings in control panel for IdP certificate

Step 8:  Manage your SP X.509 certificate (recommended)

  • Service Provider Private Key. Used to sign requests to the IdP and decrypt responses from the IdP.
  • Service Provider X.509 Certificate. Used to sign requests to the IdP and decrypt responses from the IdP.

To give you control over the strength of your encryption, you must generate your own private key and certificate. The key and certificate can be generated on any UNIX system.

Screenshot of configuration settings in control panel for SP X.509 certificate

Step 9:  Manage unique user identification

Choose a NameID Format (optional):

  • The prefered format is urn:oasis:names:tc:SAML:2.0:nameid-format:persistent to ensure the identity between MindTouch and the IdP never changes.  

Screenshot of configuration settings in control panel for unique user identification

PingOne requires the format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress to authenticate with a username/password combination.   

Step 10: Configure display names and groups

Enter the following information to configure your SAML SSO users and groups:

  • Custom Display Name Pattern (optional). A find-and-replace pattern to build a display name from any attributes in the IdP.
  • Group List Attribute (optional). The name of the SAML assertion attribute to look up for a list of groups to synchronize with the user's current group membership list. 
  • Group List Attribute Delimiter (optional). The delimiter to split up the attribute value into multiple values. 
  • (ADFS) Group Name Component. The component of the Active Directory group object distinguished name that should be used as the MindTouch group name.

Screenshot of configuration settings in control panel for display name and group attributes

Step 11: Save your changes    

Need more help? 


If you need any additional information about configuring SAML SSO, don't hesitate to reach out to our Support team.