This article reviews how MindTouch supports SSO with Active Directory Federation Services (ADFS) version 2.0+.
The following information is based on Microsoft Azure. It is intended to supplement an ADFS administrator's expertise. It is assumed that future Microsoft Azure and Windows Server updates may change the accuracy of this documentation.
- Admin access to MindTouch
- Admin access to ADFS
- Understand how enabling SAML SSO may affect your implementation or workflows
- Working knowledge of SAML SSO and SLO scenarios
- Understand SAML SSO features supported for ADFS
How to set up MindTouch SAML SSO with ADFS
Follow the steps below to configure MindTouch to be accessed via SAML SSO:
Step 1: Add MindTouch as an ADFS directory application
- Open the setup page for new applications to connect to ADFS. In Microsoft Azure, this is handled through the Active Directory panel.
- Click Add.
- Regardless of your version of Windows server, you will need to provide the following information to add MindTouch as a SAML SSO service provider (SP):
- App ID URI. The unique entity id for your MindTouch SP. It is your site's domain appended with the forward slash
/and prefixed with
- Correct: http://example.com/
- Incorrect: http://example.com
- Incorrect: https://example.com/
- Reply URL. The URL to your MindTouch SP assertion consumer service. It is your hostname appended with the path
/@app/saml/acsand prefixed with
- Federation Metadata URL. Required to allow SAML single logout (SLO). It is your hostname appended with the path
/@app/saml/metadataand prefixed with
- Save the configuration.
- (Optional) To direct users to MindTouch and then redirect them to your ADFS implementation to log in, i.e. to perform an SP-initiated request, provide the following URL to your users: http(s)://<example.your.site.com>/@app/saml/login
Step 2: Configure ADFS as an IdP
- Click View Endpoints to open a list of SSO endpoints
- Download the Federation Metadata Document endpoint.
- Provide the IdP SAML metadata to MindTouch to configure your SP.
- Check the following match in the SP metadata endpoint https://example.com/@app/saml/metadata:
- The SP metadata
EntityDescriptor/@entityIDattribute value should match the App ID URI in ADFS.
- The SP metadata
EntityDescriptor/SPSSODescriptor/AssertionConsumerService/@Locationattribute value should match the Reply URL in ADFS
Need more help?
If you are interested in setting up SAML SSO with ADFS and have further questions, don't hesitate to reach out to our Support team.
For information on signing SP to IdP requests refer to our technical notes on SAML SSO.