SAML SSO between MindTouch and ADFS requires MindTouch site and ADFS administrators with working knowledge of SAML SSO scenarios. These roles will act as system integrators, with the assistance of MindTouch Support if necessary, to setup MindTouch as a SAML SSO Service Provider and ADFS as a SAML SSO Identity Provider. SAML SSO integrators must read our SAML SSO integration documentation to familiarize themselves with the features and limitations of MindTouch SAML SSO.
Supported SAML SSO Features
MindTouch integrates with ADFS as a Service Provider (SP), trusting ADFS as its Identity Provider (IdP). This section describes the standard SSO scenarios and endpoints expected in a SAML SSO SP. For information regarding MindTouch specific features such as MindTouch Security Group synchronization or handling of user display names and email addresses, see the SAML SSO integration documentation.
|SP-Initiated SAML 2.0 Single Sign On (SSO)||Yes, SP redirect request, IdP POST response|
|IdP-Initiated SAML 2.0 Single Sign On (SSO)||Yes, IdP POST request|
|SP-Initiated SAML 2.0 Single Log Out (SLO)||Yes, SP redirect request, IdP redirect response|
|IdP-Broadcasted SAML 2.0 Single Log Out (SLO)||Yes, SP redirect reqeust, IdP redirect response|
|SP Metadata Download||Yes, http://example.com/@app/saml/metadata|
|SP Public X.509 Certificate Download||Yes, if available, http://example.com/@app/saml/certificate|
|SP-IdP Public X.509 Certificate Synchronization||No, IdP public X.509 certificate must be manually updated in the MindTouch SP (either by IdP metadata or certificate file)|
|SP-IdP Message Signing and Verification||Yes, MindTouch signs outgoing messages with SHA1|
|IdP-SP Message & Assertion Signing and Verification||Yes, SHA1 and SHA256 signatures are allowed|
|IdP-SP Assertion Encryption and Decryption||Yes, AES-128, AES-256, and Triple DES encryption algorithms are allowed.|
Adding MindTouch as an ADFS Directory Application (Service Provider)
Open the set up page for new Applications to connect to ADFS. In Microsoft Azure, this is handled through the Active Directory panel.
Regardless of your version of Windows Server, you will need to provide the following information to add MindTouch as a SAML SSO SP.
- App ID URI: This is the unique entity id for your MindTouch SP. It is your site's domain appended with the / character and prefixed with the HTTP protocol (not HTTPS!).
- Example: http://example.com/
- Incorrect Example: http://example.com
- Incorrect Example: https://example.com/
- Reply URL: This is the URL to your MindTouch SP's Assertion Consumer Service. It is your hostname appended with the path /@app/saml/acs and prefixed with the HTTPS protocol (not HTTP!).
- Federation Metadata URL: This is required in order to allow SAML Single Logout. It is your hostname appended with the path /@app/saml/metadata and prefixed with the HTTPS protocol (not HTTP!).
- Save the configuration and MindTouch will be added as a SP.
Optionally, you can provide the following URL to users which will direct them to MindTouch and then redirect them to your ADFS implementation to log in. This method is known as an SP-initiated request.
http(s)://<your MindTouch domain>/@app/saml/login.
Configuring ADFS as a MindTouch SAML SSO Identity Provider
You must provide your MindTouch site (see How Do I Configure SAML SSO?) with the IdP metadata document (referred to as a Federation Metadata Document by Microsoft). In Windows Azure, click the View Endpoints button to open a list of SSO endpoints.
The endpoint we are interested in is the Federation Metadata Document.
Download the file and provide it to your MindTouch site (See How Do I Configure SAML SSO?) to configure your SP. After your SP is configured check the SP metadata endpoint (https://example.com/@app/saml/metadata). To determine that the following match:
- The SP metadata
EntityDescriptor/@entityIDattribute value should match ADFS's App ID URI.
- The SP metadata
EntityDescriptor/SPSSODescriptor/AssertionConsumerService/@Locationattribute value should match ADFS's Reply URL.
This document does not include the recommended practice of signing SP to IdP requests. For more information regarding the configuration of this security measure, please read the SAML SSO documentation.
If you are interested in setting up SSO with ADFS, fill out our contact form and an account representative will reach out to you.