This article contains a running list of frequently asked questions regarding SAML SSO implementation. Please make sure to read our technical notes on implementing SAML SSO in addition to this list before submitting a request to Support or your Customer Success Manager.
Frequently asked questions
Click the links below to view answers to our most frequently asked questions about SAML SSO implementation:
- ► Can MindTouch help me set up my custom IdP?
- No. MindTouch will only support IdPs that we have certified to work with MindTouch.
- ► Where can I access a MindTouch site's SP metadata?
- MindTouch sites that are SAML SSO enabled publish their metadata at https://example.com/@app/saml/metadata. Depending on your IdP configuration needs, you can either download it as an XML document or poll this endpoint regularly to ensure your IdP has the latest information about the MindTouch SP.
- ► My IdP complains that MindTouch SP metadata is invalid, how can I fix this?
- Many IdPs require that SPs sign outgoing authentication requests, and MindTouch highly recommends this practice as well. By default, MindTouch SP metadata does not include a public X.509 certificate. See our documentation on how to generate a signing public X.509 certificate.
- ► Where can I access a MindTouch site's SP X.509 public certificate?
- MindTouch sites that are SAML SSO enabled with a configured public X.509 certificate provide the certificate for download at https://example.com/@app/saml/certificate.
- ► Can I use SAML SSO with MindTouch custom SSO APIs?
- No. SAML SSO is the only supported method for single sign-on between MindTouch and your authentication provider. Legacy MindTouch custom SSO APIs are not guaranteed or designed to work alongside SAML SSO scenarios.
- ► Can I use SAML with local accounts?
- Yes. Enabling SAML SSO still allows local accounts to sign in by visiting the local sign-in page directly (https://example.com/Special:UserLogin). This allows accounts that should be local-only to access the site. The Sign in button on the MindTouch site will always initiate a SAML SSO session; therefore users requiring a local sign-in should bookmark a direct link to the sign-in page. Administrative users can always sign in and access the control panel by visiting https://example.com/deki/cp.
- ► Can I automatically create groups from a SAML assertion?
- No. SAML SSO can sync existing groups but does not create new local groups. Read more about this topic in our article on group synchronization.
- ► Can I automatically seat users as pro members?
- Users cannot be seated by a SAML assertion. A user must be explicitly seated by an administrator using the control panel. If automatic seating is required, this can be accomplished via our API.
- ► My IdP's public X.509 certificate is going to expire one day, how can I prepare for that?
- If your IdP's public X.509 certificate is nearing expiration (within 30 days), your MindTouch site administrators are notified by a large banner at the top of the MindTouch site (only viewable by site administrators). In addition, expect MindTouch Support to contact you before the certificate to assist expires.