How to Set UP Single Sign On With ADFS

Follow

This guide is designed to help you set SSO with your ADFS service. This will walk you through setting up ADFS and Catalyst. 

  1. The Catalyst metadata can be retrieved from Catalyst by going to https://XXXX.bccatalyst.com/saml/metadata.xml, where XXX is the name of your site.
  2. On the ADFS server right click on Relying Party Trust and click Add Relying Party Trust…. From there, navigate to Import data about the relying party from a file. Click on Browse and locate the Metadata.xml file
  3. Add a claim rule: On the relying party trust you just created, right click and click on Edit Claim Rules…
  4. Give a name to the claim rule and then select Active Directory from Attribute Store. LDAP Attribute: E-Mail-Addresses, Outgoing Claim Type: E-mail Address
  5. Add a second Claim Rule to transform the claim, and use the following settings:
    1. Incoming claim type = E-Mail Address
    2. Outgoing claim type = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    3. Outgoing name ID format = Email

Setup SSO on Catalyst:

  1. Go to the Administration Menu, then choose “Manage My Account”, then “SSO Settings”
  2. From here, check “Enable SSO
  3. If your SSO requires an Issuer, check SSO Include Issuer (Issuer refers to the Entity Id of your identity provider, it is a URL that uniquely identifies your SAML identity provider.)
  4. If your SSO requires an Embed Signature, check SSO Embed Signature (Use this if your IDP requires an AuthNRequest with an embedded)
  5. Enter the SSO Login URL provided by your directory or the Mobile SSO Login URL to set up SSO on the Catalyst mobile app
  6. Enter the SHA1 SSO certificate fingerprint from your directory’s security certificate or the SSO Mobile certificate fingerprint to set up SSO on the Catalyst mobile app
  7. If you are using encrypted assertions, scroll to the bottom of the form and populate the SSO Encrypted Assertions Certificate and SSO Encrypted Asserstions Private Key
  8. Once complete, choose save changes. (Don’t worry, nothing will happen to your current users when you do this – they will continue working!)
  9. Next, go to an existing user (Administration Menu….Users…select a User, then choose Edit). From here, you can make them a single sign in user by changing their Sign-in type. This allows you to choose SSO only, Username and Password or any. For testing purposes, choose any so you can still log in with a username and password if needed.

Once complete – that’s it, you’re ready to sign into Catalyst with SSO!

Have more questions? Submit a request

Comments