Skip to main content

 

MindTouch Success Center

Supported SAML SSO and SLO scenarios

This article describes the SAML single sign-on (SSO) and single logout (SLO) scenarios supported by MindTouch.

 

SAML 2.0 single sign-on (SSO) scenarios


MindTouch supports SAML 2.0 SSO with HTTP redirect-POST binding:

  •  Authentication requests from the service provider (SP) to the identity provider (IdP) are sent as an HTTP redirect.
  • Responses or requests from the IdP to the SP are expected to be sent as HTTP Post.
     

SP-initiated SSO

SP-initiated SSO is a scenario in which the user initiates the sign-on process in the application (e.g. MindTouch) either actively or passively and is authenticated by the IdP.


Active SSO

The user signs into MindTouch by clicking the Sign In link:

Active SSO login diagram
 

Passive SSO

The user visits a private page or file attachment they cannot access without authentication:

Passive SSO login diagram
 

IdP authentication

Both active and passive SSO send users to the IdP for authentication:

SSO login iDP authentication diagram

IdP-initiated SSO

IdP-initiated SSO is a scenario in which the user is using an internal application such as Salesforce and has already authenticated with the IdP. Users click on a link to the MindTouch site to begin an SSO session. If needed, a new user is created in MindTouch (or the existing user is found), and the user is logged in:

idP-initiated SSO diagram

 

SAML 2.0 single logout (SLO) scenarios


In addition to SSO, MindTouch supports SAML 2.0 single logout (SLO) with HTTP redirect-redirect bindingSLO allows a MindTouch user to click the Sign Out button on a MindTouch site, which signs the user out of both MindTouch and the IdP.

While SLO is optional, it is highly recommended for private MindTouch sites. Without SLO, signing out of a MindTouch site redirects the user to the SAML SSO authentication provider, which maintains the SSO session. In effect, it creates a scenario where the user cannot sign out without signing out of the SAML SSO authentication provider first, creating a confusing experience.

User-initiated logout (MindTouch)

The user actively clicks the sign-out link in MindTouch. The user is signed out of MindTouch:

SSO sign out diagram
 

User-initiated logout (other application)

If the IdP and all SPs in the federated SSO session are configured correctly and the user signs out of any other application in the federated SSO session, MindTouch receives a sign-out request from the IdP and signs the user out of MindTouch:

SSO unsolicited sign out request diagram

 

 

  • Was this article helpful?