Frequently Asked SAML SSO Questions
- Applies to:
- All MindTouch Versions
- Role required:
- N/A
Read about how to set up SAML SSO in addition to this list before submitting a request to Support or your Customer Success Manager.
Where can I access a MindTouch site's SP metadata?
MindTouch sites that are SAML SSO enabled publish their metadata at https://example.com/@app/auth/{id}/metadata. The {id} parameter can be located on the MindTouch site Single Sign-On Configuration dashboard. Depending on your IdP configuration needs, you can either download it as an XML document or poll this endpoint regularly to ensure your IdP has the latest information about the MindTouch SP.
My IdP complains that MindTouch SP metadata is invalid, how can I fix this?
Many IdPs require that SPs sign outgoing authentication requests, and MindTouch highly recommends this practice as well. By default, MindTouch SP metadata does not include a public x.509 certificate. See our documentation on how to generate a signing public x.509 certificate.
Where can I access a MindTouch site's SP x.509 public certificate?
MindTouch sites that are SAML SSO enabled with a configured public x.509 certificate provide the certificate for download at https://example.com/@app/auth/{id}/x509.crt. The {id} parameter can be located on the MindTouch site Single Sign-On Configuration dashboard.
Can I use SAML SSO with MindTouch custom SSO APIs?
No. SAML SSO is the only supported method for single sign-on between MindTouch and your identity provider. Legacy MindTouch custom SSO APIs are not guaranteed or designed to work alongside SAML SSO scenarios.
Can I use SAML with local accounts?
Yes. Enabling SAML SSO still allows local accounts (those not associated with the SAML SSO identity provider) to sign in by visiting the local sign-in page directly (https://example.com/Special:UserLogin). This allows accounts that should be local-only to access the site.
Can I automatically create groups from a SAML assertion?
No. SAML SSO can sync existing groups but does not create new local groups.
Can I automatically seat users as pro members?
Users cannot be seated by a SAML assertion. A user must be explicitly seated by an administrator using the control panel. If automatic seating is required, this can be accomplished via our API.
My IdP's public x.509 certificate is going to expire one day, how can I prepare for that?
If your IdP's public x.509 certificate is nearing expiration (within 30 days) expect MindTouch Support to contact you before the certificate expires.