Configure SP-initiated SSO (SAML) authentication

Who can use this feature?

  • All roles with access level "high"
  • Available on all plans

Using an identity provider (IdP), such as Okta or Azure, you can set up an SP-initiated SSO connection between Catalyst and your IDP using SAML 2.0. 

Set up SP-initiated SSO

Although the following instructions are for Okta, other IdP systems will have similar configuration steps.

Your Catalyst CSM will provide a callback URL and audience URL via email, which you will use to create a SAML connection in your IdP. You can then provide Catalyst with the sign-in URL and the X509 signing certificate to update the configuration on our side.

Catalyst does not support IdP-initiated logins (from external tile) or SCIM. We recommend adding a bookmark in your IdP that takes your users to our secure login page: https://app.catalyst.io/session/new

Please utilize a custom SAML app instead of relying on any IdP default configurations for Catalyst.

  1. Request a callback URL and audience URL for your IdP from your Catalyst CSM. The typical formats are as follows:
    • Callback (ACS Consumer) URL: https://auth.catalyst.io/login/callback?connection=[CSM-PROVIDED-COMPANY-NAME]
    • Audience URI (SP Entity ID): urn:auth0:catalyst-software:[CSM-PROVIDED-COMPANY-NAME]
  2. Create a new application to connect to Catalyst by clicking Create App Integration. Screen_Shot_2022-10-04_at_9.53.45_AM.png
  3. Choose SAML 2.0 , and click Next. Screen_Shot_2022-10-04_at_9.55.39_AM.png
  4. Provide an app name (we recommend “Catalyst”). You can also provide a logo.
    Screen_Shot_2022-10-04_at_9.59.31_AM.png
  5. Click Next, and add the following required data.

    Do not include any < > symbols in the URL or URI fields around your customer name.


    Screen_Shot_2022-10-04_at_10.02.47_AM.png
    • Provided by Catalyst: Single sign on URL
    • Provided by Catalyst: Audience URI (SP Entity ID)
    • Name ID format: EmailAddress
    • Application username: Email
    • Attribute statements (these are also REQUIRED):
    Name Name Format Value
    email Basic

    user.email

    first_name Basic user.firstName
    last_name Basic user.lastName
  6. Click Next.
  7. Finish creating the app and collect information to pass back to Catalyst. In the newly created SAML app, you will find the following information:
    • Identity Provider Single Sign-On URL
    • Identity Provider Issuer
    • X.509 Certificate

    Screen_Shot_2022-10-04_at_10.16.54_AM.png
  8. Send this information to your Catalyst CSM and on our side, and we’ll complete the setup. We will notify you when you are able to sign in with this connection.
  9. Once setup is completed, go to https://app.catalyst.io/session/new to sign in!

FAQ

Q: I have set up SAML but receive an error that no email address was returned to identify your user. How do I fix this?

A: It's likely that the IDP has not been configured to send the attribute statements with the SAML assertion. Some IDPs, such as OneLogin, require you to check a box for each field to include it. Please confirm that this step is completed, ensuring the name/key of the field aligns to our documentation and that email is set as a separate attribute from the NameID value.
SCR-20240130-nxvg.png

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request