Skip to main content
MindTouch Success Center

Set up SAML SSO with PingOne (MT4)

This page applies to:MindTouch 4 and MindTouch TCS

Set up SAML SSO with PingOne (MT4)
This article reviews how MindTouch supports SAML SSO with Ping Identity's PingOne SSO service. PingIdentity's PingFederate is not supported at this time. The following information  is intended to supplement a PingOne Administrator's expertise. It is assumed that future PingOne updates may change the accuracy of this documentation.


SAML SSO between MindTouch and PingOne requires PingOne and MindTouch site administrators with working knowledge of SAML SSO scenarios. These roles will act as system integrators, with the assistance of MindTouch Support if necessary, to setup MindTouch as a SAML SSO Service Provider and PingOne as a SAML SSO Identity Provider. SAML SSO integrators must read our standard SAML SSO documentation to familiarize themselves with the features and limitations of MindTouch SAML SSO.

Supported SAML SSO Features

MindTouch integrates with PingOne as a Service Provider (SP), trusting PingOne as its Identity Provider (IdP). This section describes the standard SSO scenarios and endpoints expected in a SAML SSO SP. For information regarding MindTouch specific features such as MindTouch Security Group synchronization or handling of user display names and email addresses, see the standard SAML SSO documentation.

Feature Support
SP-Initiated SAML 2.0 Single Sign On (SSO) Yes, SP redirect request, IdP POST response
IdP-Initiated SAML 2.0 Single Sign On (SSO) Yes, IdP POST request
SP-Initiated SAML 2.0 Single Log Out (SLO) Yes, SP redirect request, IdP redirect response
IdP-Broadcasted SAML 2.0 Single Log Out (SLO) Yes, SP redirect request, IdP redirect response
SP Metadata Download Yes,
SP Public X.509 Certificate Download Yes, if available,
SP-IdP Public X.509 Certificate Synchronization No, IdP public X.509 certificate must be manually updated in the MindTouch SP (either by IdP metadata or certificate file)
SP-IdP Message Signing and Verification

Yes (Required), MindTouch signs outgoing messages with SHA1

IdP-SP Message & Assertion Signing and Verification Yes (Required), SHA1 and SHA256 signatures are allowed
IdP-SP Assertion Encryption and Decryption No

Adding MindTouch SAML SSO as an Application in PingOne

MindTouch SAML SSO is already availble in PingOne's application catalog. To add it to your  application dock, after logging into PingOne, navigate to Applications > My Applications > Search Application Catalog. Search for mindtouch and add the MindTouch application. If two applications are shown (Basic SSO, SAML), be sure to choose the SAML application.


After adding the application, you will be presented with the Application Configuration page.  There are two approaches you may take to configure the application, mostly automated by uploading the MindTouch Federation Metadata Document or manually.


For both approaches, the PingOne IdP Metadata XML Document (SAML Metadata Download link) needs to be downloaded and provided to the MindTouch site.

Configure PingOne With MindTouch Federation Metadata XML Document

  1. After enabling SAML SSO on your MindTouch site, uploading the PingOne IdP Metadata XML Document, the Service Provider Private Key and Certificate need to configured (See SAML SSO Service Provider Configuration). In addition, PingOne requires that the MindTouch site's Service Provider NameID format is urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
  2. If your MindTouch site is not behind a VPN or IP-Restriction rules, you can provide PingOne with a URL to your MindTouch site's Federation Metadata XML Document: Otherwise, you may navigate to this URL yourself, download the content and upload it to PingOne.



Now, review the auto-configured settings in the Configure PingOne Manually section below.

Configure PingOne Manually

  1. After enabling SAML SSO on your MindTouch site, uploading the PingOne IdP Metadata XML Document, the Service Provider Private Key and Certificate need to configured (See SAML SSO Service Provider Configuration). In addition, PingOne requires that the MindTouch site's Service Provider NameID format is urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
  2. Fill out the PingOne application configuration as described below:


  • Replace ${hostname} and with the hostname of your MindTouch site.
  • Upload your Service Provider Certificate as Verification Certificate.
  • Continue to the next step of configuration: Mapping Attributes

Mapping Attributes


These attributes allow you to map your PingOne Identity Bridge records to SAML SSO Assertion Attributes. For more information about how MindTouch uses these attributes, see the User Information and Groups sections of our SAML SSO implementation documentation. Note that the name of the Group Synchronization attribute is always Group, if using this PingOne MindTouch SAML SSO application.

Additional information

If you are interested in setting up SSO with PingOne, fill out our contact form and an account representative will reach out to you.

  • Was this article helpful?