SAML SSO Service Provider Endpoints

Last updated
Save as PDF

Applies to:: All MindTouch Versions

A list and descriptions of the service provider endpoints used in the SAML SSO and SLO scenarios.

Consult the following table, assuming {id}as a placeholder for an identity provider service id. In all cases, if the system cannot find an identity provider service id matching {id}, a HTTP 404 response will be returned. If the matching identity provider service is disabled, a HTTP 403 response will be returned.

The string default can be used in place of any {id}to use the configured default identity provider service.

Sign-In Endpoints

Endpoint Description

Endpoint	Description
/@app/auth/{id}/login?returnto={url}	Responds with a HTTP redirect to an identity provider single sign on endpoint, with a valid SAMLRequest deflated and encoded in the URL. The optional, URL encoded value of `{url}`is converted to a RelayState query parameter. If the request cannot be generated due to an error, the user is redirected to the homepage with an error message (public site behavior) or receives a HTTP 403 response (private site behavior).
/@app/auth/{id}/acs	The assertion consumer service, receives an encoded SAMLResponse from either an HTTP redirect or POST request. If the SAMLResponse cannot be validated or does not include a successful sign in status, the user is redirected to the homepage with an error message (public site behavior) or receives a HTTP 403 response (private site behavior).

/@app/auth/{id}/login?returnto={url}

Responds with a HTTP redirect to an identity provider single sign on endpoint, with a valid SAMLRequest deflated and encoded in the URL. The optional, URL encoded value of {url}is converted to a RelayState query parameter. If the request cannot be generated due to an error, the user is redirected to the homepage with an error message (public site behavior) or receives a HTTP 403 response (private site behavior).

/@app/auth/{id}/acs The assertion consumer service, receives an encoded SAMLResponse from either an HTTP redirect or POST request. If the SAMLResponse cannot be validated or does not include a successful sign in status, the user is redirected to the homepage with an error message (public site behavior) or receives a HTTP 403 response (private site behavior).

Sign-Out Endpoints

Endpoint	Description
/Special:UserLogout	Signs the user out of the Expert site, and optionally redirects them to the identity provider they signed in with, if SAML SLO (single logout) has been configured. If the request cannot be generated due to an error, the user is redirected to the homepage with an error message.
/@app/auth/{id}/slo	The single logout service, receives an encoded SAMLResponse or SAMLRequest from a HTTP redirect. A SAMLResponse is received after a user has been redirected from the Special:UserLogout endpoint on the Expert site, to the identity provider, and back to the Expert site. A SAMLRequest is received if an identity provider initiates the sign out process independently. If the SAMLResponse cannot be validated or does not include a successful sign out status, the user is redirected to the homepage with an error message. If the SAMLRequest cannot be validated, the requester receives a HTTP 403 response.

Endpoint

Description

/Special:UserLogout

Signs the user out of the Expert site, and optionally redirects them to the identity provider they signed in with, if SAML SLO (single logout) has been configured. If the request cannot be generated due to an error, the user is redirected to the homepage with an error message.

/@app/auth/{id}/slo

The single logout service, receives an encoded SAMLResponse or SAMLRequest from a HTTP redirect. A SAMLResponse is received after a user has been redirected from the Special:UserLogout endpoint on the Expert site, to the identity provider, and back to the Expert site. A SAMLRequest is received if an identity provider initiates the sign out process independently.

If the SAMLResponse cannot be validated or does not include a successful sign out status, the user is redirected to the homepage with an error message.

If the SAMLRequest cannot be validated, the requester receives a HTTP 403 response.

Data Endpoints

Endpoint	Description
/@app/auth/{id}/metadata.xml	Expert site service provider description metadata, available for download by a user or through identity provider automation. If the metadata cannot be generated due to an error, the requester will receive a HTTP 403 response.
/@app/auth/{id}/x509.crt	Expert site service provider signing certificate, available for download by a user or through identity provider automation. An empty or missing certificate will return a HTTP 404 response.