This article provides instructions for synchronizing SAML SSO groups between MindTouch and the identity provider (IdP).
- Admin access to your IdP
- Admin access to MindTouch
Why should I synchronize groups?
MindTouch attempts to determine which MindTouch group memberships an authenticated user should be added to or removed from. In order to execute this action, you need to set up SAML SSO group synchronization in MindTouch. This feature is optional but gives IdP administrators and MindTouch site administrators tight control over what content can be viewed on the MindTouch site.
Group synchronization does not create groups in MindTouch, nor set up permissions. The groups must exist in your IdP and MindTouch prior to synchronization. Group synchronization happens every time the user is authenticated (logged in). Users who are no longer part of a group in your IdP will be removed from those groups in MindTouch. This includes groups created inside MindTouch that are not associated with your IdP.
How to set up SAML SSO group synchronization
To set up group synchronization in MindTouch, perform the following steps:
Step 1: Access the SAML configuration
- Log in to your MindTouch site as admin.
- Navigate to Site tools > Control panel > Authentication > Single Sign-On > SAML.
Step 2: Configure the group list attributes
Configure the following fields in the SAML configuration section:
Group List Attribute. The custom attribute configured in the identity provider (we recommended "group") that contains the list of the MindTouch group memberships to synchronize with authenticating users (e.g. http://schemas.xmlsoap.org/claims/group).
- Group List Attribute Value Delimiters. The character that separates group names in an incoming group list. For example, if the attribute value is
group1,group2,group3, the delimiter should be
,(the comma) to split that text into three parts, each part being a group membership to synchronize.