How Using SAML SSO Impacts Your MindTouch Site
- Applies to:
- All MindTouch Versions
- Role required:
- N/A
TLS/SSL requirement
SAML SSO requires HTTPS
If you are currently not using the transport layer security (TLS) protocol for your MindTouch site domain, please contact the MindTouch Support team for further details.
If you would like to implement TLS for your MindTouch site domain after your SAML SSO integration has been configured, please plan for 4–6 hours to coordinate an update to your MindTouch SAML SSO integration.
VPN/IP restrictions
SAML SSO sessions can occur behind existing VPN or IP-restrictions if enabled for your MindTouch site.
Group Management
Once SAML is enabled, group membership for SAML users can no longer be managed locally in MindTouch.
For security purposes controls group profiles have to be managed in your SAML identity provider (IdP). If users are added to a group in MindTouch but are not added to the group in the SAML IdP, the IdP will strip the users from the group in MindTouch.
Username Management
Once SAML is enabled, users can no longer be renamed locally in MindTouch.
If a username is changed locally in MindTouch, the SAML IDP will recreate a new user with the old name next time the user tries to log in. Note that while the username cannot be locally changed in MindTouch, the display name can.
If machine-generated usernames are synchronized, accessing user contribution or user history data in challenging if user display names are not synchronized.
If you previously authenticated MindTouch users locally and now decide to enable SAML SSO, carefully choose your SAML IdP usernames. SAML 2.0 typically uses a persistent username format. If the persistent username is ported over as a non-human-readable string, we recommend synchronizing a user display name or the user’s email address.
When configuring your SAML IdP, speak with your IT team to align the username format with your existing MindTouch usernames to avoid user duplication.
Display Name Customization
You can design your own MindTouch display name from your SAML IdP values.
Your SAML IdP stores a lot of information about your users (company name, first name, last name, phone number, etc.). MindTouch only uses three user values: A username, an email address, and a display name. While the username and email address are pulled into MindTouch as is, you can choose to populate the display name from a combination of IdP values defined by you.