Skip to main content

Set up SAML SSO with Salesforce (TCS)

This page applies to:MindTouch 4 and MindTouch TCS

Set up SAML SSO with Salesforce (TCS)
This article reviews how MindTouch supports SAML SSO with, the platform, and Salesforce Service Cloud. Salesforce Communities is not supported at this time. The following information is based on 14 and is intended to supplement a Administrator's expertise. It is assumed that future updates may change the accuracy of this documentation.


SAML SSO between MindTouch and requires and MindTouch site administrators with working knowledge of SAML SSO scenarios. These roles will act as system integrators, with the assistance of MindTouch Support if necessary, to setup MindTouch as a SAML SSO Service Provider and as a SAML SSO Identity Provider. SAML SSO integrators must read our standard SAML SSO documentation to familiarize themselves with the features and limitations of MindTouch SAML SSO.

Note to user  NOTE:  To ensure you are meeting Salesforce requirements, contact Salesforce to confirm your domain setup.

Supported SAML SSO Features

MindTouch integrates with as a Service Provider (SP), trusting as its Identity Provider (IdP). This section describes the standard SSO scenarios and endpoints expected in a SAML SSO SP. For information regarding MindTouch specific features such as MindTouch Security Group synchronization or handling of user display names and email addresses, see the standard SAML SSO documentation.



Feature Support
SP-Initiated SAML 2.0 Single Sign On (SSO) Yes, SP redirect request, IdP POST response
IdP-Initiated SAML 2.0 Single Sign On (SSO) Yes, IdP POST request
SP-Initiated SAML 2.0 Single Log Out (SLO) No
IdP-Broadcasted SAML 2.0 Single Log Out (SLO) No
SP Metadata Download Yes,
SP Public X.509 Certificate Download Yes, if available,
SP-IdP Public X.509 Certificate Synchronization No, IdP public X.509 certificate must be manually updated in the MindTouch SP (either by IdP metadata or certificate file)
SP-IdP Message Signing and Verification

 Yes, MindTouch signs outgoing messages with SHA1

IdP-SP Message & Assertion Signing and Verification Yes, SHA1 and SHA256 signatures are allowed
IdP-SP Assertion Encryption and Decryption Yes, AES-128AES-256, and Triple DES encryption algorithms are allowed.
IdP-SP Group Syncing No. Salesforce does not send public group membership information over SAML.



At this time, Salesforce does not send Public Group membership information over SAML. Since Salesforce does not send this data, there is no way to perform syncing from Salesforce Public Groups into MindTouch Groups.


While Salesforce can act as an Identity Provider (IdP), it sees Salesforce Sales Cloud / Service Cloud as a separate entity from Salesforce Communities. When configuring SAML for either Sales Cloud / Service Cloud and Communities, two SAML endpoints are created. IdPs traditionally only provide a single end-point for Service Providers (SP) to connect to.

If you utilize Salesforce Communities, keep in mind that MindTouch acts as an SP and can only configure a single SAML connection. Until a time when Salesforce can support a single endpoint for both Sales Cloud / Service Cloud and Communities, we recommend configuring SAML in MindTouch with Salesforce Communities, and logging Sales Cloud / Service Cloud users into MindTouch locally. 

Configuring as a SAML SSO IdP

You can find the Identity Provider configuration page by going to setup mode and navigating to Administration Setup > Security Controls > Identity Provider.



From here, you can configure their domain as a SAML SSO Identity Provider and create a new public X.509 certificate for establishing trust with the MindTouch SAML SSO SP. At this point, you should download the IdP metadata file as you will need it later to integrate with MindTouch. now requires all Service Providers to be created as Connected Apps, so click on the link highlighted in the image below: Service Providers are now created via Connected Apps. Click here.


Configuring as a MindTouch SAML SSO Identity Provider

Provide the IdP metadata file to your MindTouch site (see How Do I Configure SAML SSO?). After your MindTouch site is SAML SSO enabled, you can find the information (SP metadata) required to add MindTouch as a Connected App at: (replace with. the hostname of your MindTouch site).


Provide a public certificate and signing private key pair in order for the IdP to verify requests from the MindTouch SP, and for the MindTouch SP to decrypt responses from the IdP. You can generate your own with a UNIX-like system and OpenSSL.

Adding MindTouch SAML SSO as a Connected App


  • Start URL: The homepage of your MindTouch site.
  • Entity Id: The unique identifier for your MindTouch SAML SSO SP. It is located in the SP metadata in the EntityDescriptor/@entityID attribute value.
  • ACS URL: The endpoint that SAML assertions are sent to as HTTP POST. It is located in the SP metadata in the EntityDescriptor/SPSSODescriptor/AssertionConsumerService/@Location attribute value.
  • Subject Type: Set this value to Persistent ID. This will create an ID that is unique for that user to identify them on both the IdP and SP.
  • Name ID Format: Set this value to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
  • Issuer: should already have this value set. If it is not, it must be equal to the Entity ID value in the IdP metadata (the EntityDescriptor/@entityID attribute value)
  • Verify Request Signatures: Check this box and upload your SP X.509 public certificate (the same one you provided to MindTouch (see How Do I Configure SAML SSO?).
  • Encrypt SAML Response: Check this box and upload your SP X.509 public certificate (the same one you provided to MindTouch (see How Do I Configure SAML SSO?).


After saving your changes, the last step is to allow the users you wish to access MindTouch through SAML SSO permission to sign into MindTouch. This is best handled through permission set administration: Administration Setup > Manage Users > Permission Sets




Detailed articles describing how to assign user permissions to connected apps can be found by searching for " documents" in their help center.

Managing the MindTouch SAML SSO Connected App

In order to make changes such as certificate updates or copy endpoint URL's you can manage the connected app by navigating to's Connected Apps administration view: Administration > Manage Apps > Connected Apps.



After selecting and confirming which connected app you wish to manage, you will be presented with an overview of the connected app's configured settings:



Some particularly useful actions you can take or information you can copy from this screen are:

  1. Download MetadataThis is the IdP metadata that MindTouch requires to configure as a trusted IdP. If your IdP changes (endpoint URL's, public X.509 certificate, etc) you will need to export this metadata and provide it to your MindTouch site.
  2. Verify Request SignaturesThis is the SP's public X.509 signing certificate, the same one you provided to MindTouch (see How Do I Configure SAML SSO?).
  3. IdP-Initiated Login URL: This the URL that users can visit to initiate an IdP-Initiated SAML SSO scenario, as described in this article.
  4. Permission Sets: Update which users can access this connected app via SAML SSO.
  5. Custom AttributesDescribe and assign the attributes that will be sent with assertions to MindTouch's SP. More information about custom attributes can be found in this article.

Configuring Custom Attributes

If you would like to utilize the custom Display Name Pattern within MindTouch's SAML configuration, you'll need to configure custom attributes within Salesforce. To do so, follow the steps below:

  1. Navigate to Setup > Administration Setup > Managed Apps > Connected Apps.
  2. Click on the Custom Attributes > New button.
  3. Configure attributes that you would like to map over to MindTouch:
    1. Name the Attribute; this is the attribute name you'll add into MindTouch's SAML configuration.
    2. Click Insert Field to choose the Salesforce field you'd like to map to this attribute; in this case, I chose $User.LastName:

    3. Click Save.
  4. Repeat this process for as many attributes as you'd like to pass over to MindTouch.

  5. To configure these attributes as a Display Name Pattern in your MindTouch SAML configuration, you could use the value [CompanyName] - [FirstName] [LastName]:
    display name pattern.png

As an example, if I have a user with a FirstName value of James, a LastName value of Valent, and a CompanyName value of MindTouch, my user's Display Name in MindTouch will now be MindTouch - James Valent:

Additional Information

If you are interested in setting up SAML SSO with, fill out our contact form and an account representative will reach out to you.

  • Was this article helpful?