Skip to main content

Enabling SAML single sign-on for your organization

Enable SSO for your Organization

Written by Justin

Mindsmith allows you to sign in through your organization's Identity Provider using SAML SSO.

Note: SSO requires the Enterprise tier of Mindsmith. Please contact us if you'd like to enable it for your organization.

Also note: You can let users launch Mindsmith directly from your identity provider's app portal using an app tile or bookmark - see "Launching Mindsmith from your identity provider" below. However, true IdP-initiated SAML (unsolicited assertions sent straight to Mindsmith's ACS) is not supported. User provisioning is also manual: users may sign in through your SSO provider, but they must be invited to your workspace and assigned a license to become part of the organization.

Setting up your Identity Provider

You will typically begin by setting up a new application inside of your Identity Provider. Once your application is created, download the Metadata XML provided by your system.

You can find the required Mindsmith service provider information here.

Configuring SSO in Mindsmith

To configure SSO, you must be an admin of an Enterprise-tier organization.

  1. Navigate to your organization settings and click on the Security tab.

Screenshot

  1. Click the Add SAML Provider button.

  2. Paste the SAML Metadata XML from your Identity Provider into the text area.

  3. Click Save Configuration.

Screenshot

Adding Authorized Domains

Once your provider is saved, you need to add the email domains you would like to associate with it. Only users with email addresses matching these provided domains will be able to sign in using Single Sign-On.

  1. Under the Authorized Domains section, click Add Domain.

  2. Type in your organization's domain (for example, example.com).

  3. Click Add Domain to save.

Screenshot

Tip: If you ever need to update your SAML Metadata XML, click Edit next to your provider details. You can also permanently delete a provider or an authorized domain by clicking the red trash can icon next to them.

Making sure Mindsmith receives the right email address

Mindsmith identifies each user by their email address, and that address must match a user you've already invited and licensed in your workspace. When someone signs in, Mindsmith reads their email from the SAML assertion, preferring the mail attribute and falling back to other standard email claims (and, as a last resort, the NameID).

Some identity providers send a sign-in identifier that is not the user's email address (for example, [email protected] when the person's real email is [email protected]). If that identifier ends up in the claim Mindsmith reads, sign-in is attributed to the wrong address or fails to match the user you invited.

If your provider's sign-in identifier or NameID is not the user's email address, configure your SAML app to send the real email address in the mail attribute. Mindsmith prefers the mail claim above all others, so this guarantees the correct address is used. If no valid email address is present, sign-in fails rather than guessing.

Launching Mindsmith from your identity provider (bookmark / app tile)

Once SSO is configured and your domain is authorized, you can let users open Mindsmith straight from their identity provider's app portal. Clicking the tile signs them in automatically through an invisible SP-initiated SAML round trip, reusing the identity-provider session they already have.

Launch URL

https://app.mindsmith.ai/auth/sso/launch?domain=<your-verified-domain>
  • Replace <your-verified-domain> with a domain you've already added under Authorized Domains (the same domain mapping used by the normal email sign-in flow).

  • EU-hosted tenants: use https://eu.mindsmith.ai/auth/sso/launch?domain=<your-verified-domain>. The app.mindsmith.ai URL also auto-redirects EU-routed domains, so either works.

  • Optional deep link: append &callbackUrl=<relative-path> to send users to a specific page after sign-in (for example ...&callbackUrl=/dashboard). Only relative paths starting with / are honored; off-site URLs are ignored.

Setting it up

Point a bookmark/link tile - or the application's SP "sign-on" / "login initiation" URL - at the launch URL above. Because the user already has an active session with your identity provider, clicking it triggers the invisible SP-initiated sign-in. Consult your identity provider's documentation for how to add a bookmark/link tile or set a sign-on URL.

Note: This is IdP-launched, SP-initiated sign-in - not true IdP-initiated SAML. Unsolicited IdP-initiated assertions remain unsupported, and user provisioning is still manual (invite + license each user).

Finalizing your setup

The remainder of the process takes place inside of your Identity Provider. Make sure to establish the proper access controls for your organization's users so they can successfully authenticate.

Mindsmith uses BoxyHQ to securely manage SAML SSO connections. For attribute mapping information and vendor-specific setup guides, you can visit this documentation.

Did this answer your question?