MindTouch has worked directly with OneLogin to provide a very streamlined MindTouch SAML SSO setup experience, which requires only the most basic knowledge of SAML SSO scenarios. Regardless of the simplified configuration experience, it is required that SAML SSO integrators read our standard SAML SSO documentation to familiarize themselves with the features and limitations of MindTouch SAML SSO.
Supported SAML SSO Features
MindTouch integrates with OneLogin as a Service Provider (SP), trusting OneLogin as its Identity Provider (IdP). This section describes the standard SSO scenarios and endpoints expected in a SAML SSO SP. For information regarding MindTouch specific features such as MindTouch Security Group synchronization or handling of user display names and email addresses, see the standard SAML SSO documentation.
|SP-Initiated SAML 2.0 Single Sign On (SSO)||Yes, SP redirect request, IdP POST response|
|IdP-Initiated SAML 2.0 Single Sign On (SSO)||Yes, IdP POST request|
|SP-Initiated SAML 2.0 Single Log Out (SLO)||Yes, SP redirect request, IdP redirect response|
|IdP-Broadcasted SAML 2.0 Single Log Out (SLO)||Yes, SP redirect request, IdP redirect response|
|SP Metadata Download||Yes, http://example.com/@app/saml/metadata|
|SP Public X.509 Certificate Download||Yes, if available, http://example.com/@app/saml/certificate|
|SP-IdP Public X.509 Certificate Synchronization||No, IdP public X.509 certificate must be manually updated in the MindTouch SP (either by IdP metadata or certificate file)|
|SP-IdP Message Signing and Verification||No|
|IdP-SP Message & Assertion Signing and Verification||No|
|IdP-SP Assertion Encryption and Decryption||No|
Adding MindTouch SAML SSO as a Company App
MindTouch SAML SSO is already available in OneLogin's apps. To add it to your company's list of available sign in apps, as your company's OneLogin administrator, navigate to Apps > Add Apps. Search for "MindTouch", and select the MindTouch SAML 2.0.
After confirming the addition of the app, you can now configure the connection.
Add your MindTouch hostname in the Configuration > Hostname input. It should be formatted as a hostname only, not a URL. Example: example.mindtouch.us.
Under the Parameters tab you can configure custom SAML assertion attributes. OneLogin can be configured to send dynamic values from Active Directory or other LDAP records, in addition to OneLogin group and role values.
- Email Address (required): The email address to be set for the authenticating user in MindTouch.
- Group (optional): The list of MindTouch groups to synchronize. The attribute name that should be provided to MindTouch is "group" (all lowercase). See this article for more details on Group Synchronization.
- The default value of this parameter is MemberOf, which maps to Active Directory groups through OneLogin's Active Directory connector
- In order to provide a list of groups that are not located in Active Directory, OneLogin Custom User Fields can be leveraged. Once a custom user field is set up for all users, a comma separated list of groups can be provided for each user through the edit user pages in OneLogin (see this OneLogin article regarding Custom User Field setup). The custom user field value can then be mapped to the MindTouch Group field.
- User Display Name (optional): The display name to be set for the authenticating user in MindTouch. See this article for more details on generating User Display Names from SAML assertions.
- Username: The persistent SAML assertion NameID to link authenticating MindTouch users with a OneLogin user record.
You can download the OneLogin IDP metadata, which you will require to add OneLogin as the trusted SAML SSO IdP, by clicking the More Actions > SAML Metadata button. The IdP metadata does not include OneLogin's Single Logout endpoint. The SLO endpoint must be manually copied from SSO > SLO Endpoint (HTTP), and provided to your MindTouch site along with the IdP metadata. See How Do I Configure SAML SSO? for further information.
Allowing Access to MindTouch SAML SSO
Add the MindTouch SAML SSO app to a new role or existing role by adding the role to the app in Users > Roles > Application. Click the MindTouch application, to add it to the role.
After the role is associated with the app, the role can be added to a user or group, allowing a user or group of users to access MindTouch SAML SSO.
If you are interested in setting up SSO with OneLogin, fill out our contact form and an account representative will reach out to you.