This guide is designed to help you set SSO with your ADFS service. This will walk you through setting up ADFS and Catalyst.
- The Catalyst metadata can be retrieved from Catalyst by going to https://XXXX.bccatalyst.com/saml/metadata.xml, where XXX is the name of your site.
- On the ADFS server right click on Relying Party Trust and click Add Relying Party Trust…. From there, navigate to Import data about the relying party from a file. Click on Browse and locate the Metadata.xml file
- Add a claim rule: On the relying party trust you just created, right click and click on Edit Claim Rules…
- Give a name to the claim rule and then select Active Directory from Attribute Store. LDAP Attribute: E-Mail-Addresses, Outgoing Claim Type: E-mail Address
- Add a second Claim Rule to transform the claim, and use the following settings:
- Incoming claim type = E-Mail Address
- Outgoing claim type = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- Outgoing name ID format = Email
Setup SSO on Catalyst:
- Go to the Administration Menu, then choose “Manage My Account”, then “SSO Settings”
- From here, check “Enable SSO”
- If your SSO requires an Issuer, check SSO Include Issuer (Issuer refers to the Entity Id of your identity provider, it is a URL that uniquely identifies your SAML identity provider.)
- If your SSO requires an Embed Signature, check SSO Embed Signature (Use this if your IDP requires an AuthNRequest with an embedded)
- Enter the SSO Login URL provided by your directory or the Mobile SSO Login URL to set up SSO on the Catalyst mobile app
- Enter the SHA1 SSO certificate fingerprint from your directory’s security certificate or the SSO Mobile certificate fingerprint to set up SSO on the Catalyst mobile app
- If you are using encrypted assertions, scroll to the bottom of the form and populate the SSO Encrypted Assertions Certificate and SSO Encrypted Asserstions Private Key
- Once complete, choose save changes. (Don’t worry, nothing will happen to your current users when you do this – they will continue working!)
- Next, go to an existing user (Administration Menu….Users…select a User, then choose Edit). From here, you can make them a single sign in user by changing their Sign-in type. This allows you to choose SSO only, Username and Password or any. For testing purposes, choose any so you can still log in with a username and password if needed.
Once complete – that’s it, you’re ready to sign into Catalyst with SSO!