Skip to main content

Set up SAML SSO with Active Directory Federation Services (ADFS) (SAP KC)

Set up SAML SSO with Active Directory Federation Services (ADFS) (SAP KC)
This article reviews how MindTouch supports SSO with Active Directory Federation Services (ADFS) version 2.0+.  The following information is based on Microsoft Azure. It is intended to to supplement an ADFS Administrator's expertise. It is assumed that future Microsoft Azure and Windows Server updates may change the accuracy of this documentation.


SAML SSO between MindTouch and ADFS requires MindTouch site and ADFS administrators with working knowledge of SAML SSO scenarios. These roles will act as system integrators, with the assistance of MindTouch Support if necessary, to setup MindTouch as a SAML SSO Service Provider and ADFS as a SAML SSO Identity Provider. SAML SSO integrators must read our SAML SSO integration documentation to familiarize themselves with the features and limitations of MindTouch SAML SSO.

Supported SAML SSO Features

MindTouch integrates with ADFS as a Service Provider (SP), trusting ADFS as its Identity Provider (IdP). This section describes the standard SSO scenarios and endpoints expected in a SAML SSO SP. For information regarding MindTouch specific features such as MindTouch Security Group synchronization or handling of user display names and email addresses, see the SAML SSO integration documentation.

Feature Support
SP-Initiated SAML 2.0 Single Sign On (SSO) Yes, SP redirect request, IdP POST response
IdP-Initiated SAML 2.0 Single Sign On (SSO) Yes, IdP POST request
SP-Initiated SAML 2.0 Single Log Out (SLO) Yes, SP redirect request, IdP redirect response
IdP-Broadcasted SAML 2.0 Single Log Out (SLO) Yes, SP redirect reqeust, IdP redirect response
SP Metadata Download Yes,
SP Public X.509 Certificate Download Yes, if available,
SP-IdP Public X.509 Certificate Synchronization No, IdP public X.509 certificate must be manually updated in the MindTouch SP (either by IdP metadata or certificate file)
SP-IdP Message Signing and Verification Yes, MindTouch signs outgoing messages with SHA1
IdP-SP Message & Assertion Signing and Verification Yes, SHA1 and SHA256 signatures are allowed
IdP-SP Assertion Encryption and Decryption Yes, AES-128AES-256, and Triple DES encryption algorithms are allowed.

Adding MindTouch as an ADFS Directory Application (Service Provider)

Open the set up page for new Applications to connect to ADFS. In Microsoft Azure, this is handled through the Active Directory panel.




Regardless of your version of Windows Server, you will need to provide the following information to add MindTouch as a SAML SSO SP.



  1. App ID URI: This is the unique entity id for your MindTouch SP. It is your site's domain appended with the / character and prefixed with the HTTP protocol (not HTTPS!).
    • Example:
    • Incorrect Example:
    • Incorrect Example:
  2. Reply URL: This is the URL to your MindTouch SP's Assertion Consumer Service. It is your hostname appended with the path /@app/saml/acs and prefixed with the HTTPS protocol (not HTTP!).
  3. Federation Metadata URL: This is required in order to allow SAML Single Logout. It is your hostname appended with the path /@app/saml/metadata and prefixed with the HTTPS protocol (not HTTP!).
  4. Save the configuration and MindTouch will be added as a SP.


Optionally, you can provide the following URL to users which will direct them to MindTouch and then redirect them to your ADFS implementation to log in. This method is known as an SP-initiated request.

http(s)://<your MindTouch domain>/@app/saml/login

Configuring ADFS as a MindTouch SAML SSO Identity Provider

You must provide your MindTouch site (see How Do I Configure SAML SSO?) with the IdP metadata document (referred to as a Federation Metadata Document by Microsoft). In Windows Azure, click the View Endpoints button to open a list of SSO endpoints.


The endpoint we are interested in is the Federation Metadata Document.


Download the file and provide it to your MindTouch site (See How Do I Configure SAML SSO?) to configure your SP. After your SP is configured check the SP metadata endpoint ( To determine that the following match:

  1. The SP metadata EntityDescriptor/@entityID attribute value should match ADFS's App ID URI.
  2. The SP metadata EntityDescriptor/SPSSODescriptor/AssertionConsumerService/@Location attribute value should match ADFS's Reply URL.


This document does not include the recommended practice of signing SP to IdP requests. For more information regarding the configuration of this security measure, please read the SAML SSO documentation.

Additional Information

If you are interested in setting up SSO with ADFS, fill out our contact form and an account representative will reach out to you.