Before setting up SSO, contact your internal IT department and find out who manages your identity provider, because you will need their assistance in setting up SSO for Catalyst.
What you need to setup SSO:
- Setup your source directory per the source directory vendor’s instructions, and use the following considerations:
- Use a SHA1 hash of the certificate that protects your SAML assertion (Catalyst requires the SHA1 thumbprint)
- Include Email Address as the primary attribute sent to Catalyst – Catalyst uses this to identify users
- The identifier container needs to be of the format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- The email needs to match the one that the user is setup with in Catalyst
- The email needs to be in the response’s nameid (the response is the message that Catalyst receives from the SAML Identity Provider [the customers SSO Server])
- After setting up your directory provider, it should provide you a SAML 2.0 endpoint – note this for your future setup.
We only use SHA-1 for a fingerprint of the cert. This is used for identification of the cert and not any sort of signing or encryption. It is our way to identify that the cert that is being presented is the one that you expected to see. In this fashion, it is safe from a SHA-1 collision or spoofing.
Note: While setting up your SSO directory, you may be asked for the SAML consumer URL. For Catalyst, this is: https://XXXX.bccatalyst.com/saml/consume, where XXX is the name of your site.
- Go to the Administration Menu, then choose “Manage My Account”, then “SSO Settings”
- From here, check “Enable SSO”
- If your SSO requires an Issuer, check SSO Include Issuer (Issuer refers to the Entity Id of your identity provider, it is a URL that uniquely identifies your SAML identity provider.)
- If your SSO requires an Embed Signature, check SSO Embed Signature (Use this if your IDP requires an AuthNRequest with an embedded)
- Enter the SSO Login URL provided by your directory or the Mobile SSO Login URL to set up SSO on the Catalyst mobile app
- Enter the SHA1 SSO certificate fingerprint from your directory’s security certificate or the SSO Mobile certificate fingerprint to set up SSO on the Catalyst mobile app
- If you are using encrypted assertions, scroll to the bottom of the form and populate the SSO Encrypted Assertions Certificate and SSO Encrypted Asserstions Private Key
- Once complete, choose save changes. (Don’t worry, nothing will happen to your current users when you do this – they will continue working!)
- Next, go to an existing user (Administration Menu….Users…select a User, then choose Edit). From here, you can make them a single sign in user by changing their Sign-in type. This allows you to choose SSO only, Username and Password or any. For testing purposes, choose any so you can still log in with a username and password if needed.
Once complete – that’s it, you’re ready to sign into Catalyst with SSO!