This article contains important information you need to know before enabling SAML single sign-on (SSO) in MindTouch.
What you need to know
Before enabling SAML SSO, read through the sections below to understand how enabling SAML SSO authentication in MindTouch may affect your implementation or workflows.
► SAML SSO requires HTTPS authentication when using a custom MindTouch domain.
If you're currently not using a secure socket layer (SSL) protocol for your MindTouch site domain, please contact your customer success manager for further details.
If you would like to implement an SSL protocol for your custom domain after your SAML SSO integration has been configured, please plan for 4–6 hours to coordinate an update to your MindTouch SAML SSO integration.
► SAML SSO sessions can occur behind existing VPN or IP-restrictions if enabled for your MindTouch site.
► Once SAML is enabled, groups can no longer be managed locally in MindTouch.
For security purposes controls group profiles have to be managed in your SAML identity provider (IDP). If users are added to a group in MindTouch but are not added to the group in the SAML IdP, the IdP will strip the users from the group in MindTouch.
► Once SAML is enabled, users can no longer be renamed locally in MindTouch.
If a username is changed locally in MindTouch, the SAML IDP will recreate a new user with the old name next time the user tries to log in. Note that while the username cannot be locally changed in MindTouch, the display name can.
► If nonhuman-readable usernames are ported over, accessing user contribution or user history data in MindTouch is nearly impossible.
If you previously authenticated MindTouch users locally and now decide to enable SAML SSO, carefully choose your SAML IdP usernames. SAML 2.0 typically uses a persistent username format. If the persistent username is ported over as a nonhuman-readable string, we recommend replacing it with a human-readable username or the user’s email address in your IdP.
When configuring your SAML IdP, talk with your IT team to align the username format with your existing MindTouch usernames to avoid user duplication.
Display name customization
► You can design your own MindTouch display name from your SAML IdP values.
Your SAML IdP stores a lot of information about your users (company name, first name, last name, phone number, etc.). MindTouch only uses three user values: A username, an email address and a display name. While the username and email address are pulled into MindTouch as is, you can choose to populate the display name from a combination of IdP values defined by you.