Who can use this feature?
- All roles with access level "high"
- Available on all plans
Using an identity provider (IdP), such as Okta or Azure, you can set up an SP-initiated SSO connection between Catalyst and your IDP using SAML 2.0.
Set up SP-initiated SSO
Although the following instructions are for Okta, other IdP systems will have similar configuration steps.
Your Catalyst CSM will provide a callback URL and audience URL via email, which you will use to create a SAML connection in your IdP. You can then provide Catalyst with the sign-in URL and the X509 signing certificate to update the configuration on our side.
Catalyst does not support IdP-initiated logins (from external tile) or SCIM. We recommend adding a bookmark in your IdP that takes your users to our secure login page: https://app.catalyst.io/session/new
Please utilize a custom SAML app instead of relying on any IdP default configurations for Catalyst.
- Request a callback URL and audience URL for your IdP from your Catalyst CSM. The typical formats are as follows:
-
Callback (ACS Consumer) URL:
https://auth.catalyst.io/login/callback?connection=[CSM-PROVIDED-COMPANY-NAME]
-
Audience URI (SP Entity ID):
urn:auth0:catalyst-software:[CSM-PROVIDED-COMPANY-NAME]
-
Callback (ACS Consumer) URL:
- Create a new application to connect to Catalyst by clicking Create App Integration.
- Choose SAML 2.0 , and click Next.
- Provide an app name (we recommend “Catalyst”). You can also provide a logo:
- Click Next, and add the following required data.
Do not include any < > symbols in the URL or URI fields around your customer name.
- Provided by Catalyst: Single sign on URL
- Provided by Catalyst: Audience URI (SP Entity ID)
- Name ID format: EmailAddress
- Application username: Email
- Attribute statements (these are also REQUIRED):
Name Name Format Value email Basic user.email
first_name Basic user.firstName last_name Basic user.lastName - Click Next.
- Finish creating the app and collect information to pass back to Catalyst. In the newly created SAML app, you will find the following information:
- Identity Provider Single Sign-On URL
- Identity Provider Issuer
- X.509 Certificate
- Send this information to your Catalyst CSM and on our side, and we’ll complete the setup. We will notify you when you are able to sign in with this connection.
- Once setup is completed, go to https://app.catalyst.io/session/new to sign in!
FAQ
Q: I have set up SAML but receive an error that no email address was returned to identify your user. How do I fix this?
A: It's likely that the IDP has not been configured to send the attribute statements with the SAML assertion. Some IDPs, such as OneLogin, require you to check a box for each field to include it. Please confirm that this step is completed, ensuring the name/key of the field aligns to our documentation and that email
is set as a separate attribute from the NameID value
.