Skip to main content
NICE CXone Expert

We will be updating our infrastructure on Dec 2, 2023. Sites will be down starting at 8pm Pacific time. This may last up to 3 hours.

Expert Success Center

How Using SAML SSO Impacts Your MindTouch Site

  1. Last updated
  2. Save as PDF
Applies to:
All MindTouch Versions
Role required:
N/A
Before enabling SAML SSO, understand how SAML SSO authentication in MindTouch may affect your implementation or workflows.

TLS/SSL requirement

SAML SSO requires HTTPS
If you are currently not using the transport layer security (TLS) protocol for your MindTouch site domain, please contact the MindTouch Support team for further details.

If you would like to implement TLS for your MindTouch site domain after your SAML SSO integration has been configured, please plan for 4–6 hours to coordinate an update to your MindTouch SAML SSO integration.

VPN/IP restrictions

SAML SSO sessions can occur behind existing VPN or IP-restrictions if enabled for your MindTouch site.

Group Management

Once SAML is enabled, group membership for SAML users can no longer be managed locally in MindTouch. 
For security purposes controls group profiles have to be managed in your SAML identity provider (IdP). If users are added to a group in MindTouch but are not added to the group in the SAML IdP, the IdP will strip the users from the group in MindTouch.

Username Management

Once SAML is enabled, users can no longer be renamed locally in MindTouch. 
If a username is changed locally in MindTouch, the SAML IDP will recreate a new user with the old name next time the user tries to log in. Note that while the username cannot be locally changed in MindTouch, the display name can.

If machine-generated usernames are synchronized, accessing user contribution or user history data in challenging if user display names are not synchronized. 
If you previously authenticated MindTouch users locally and now decide to enable SAML SSO, carefully choose your SAML IdP usernames. SAML 2.0 typically uses a persistent username format. If the persistent username is ported over as a non-human-readable string, we recommend synchronizing a user display name or the user’s email address.

When configuring your SAML IdP, speak with your IT team to align the username format with your existing MindTouch usernames to avoid user duplication.

Display Name Customization

You can design your own MindTouch display name from your SAML IdP values. 
Your SAML IdP stores a lot of information about your users (company name, first name, last name, phone number, etc.). MindTouch only uses three user values: A username, an email address, and a display name. While the username and email address are pulled into MindTouch as is, you can choose to populate the display name from a combination of IdP values defined by you.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Reference
    Pro Member Role
    N/A
    Version
    All MindTouch Versions
  2. Tags
    1. SAML
    2. SSO