Implement Single Sign-On (SSO)

SSO gives your team members access to Catalytic through their Identify Provider (IdP) account. SSO is configured from the Admin Team Center. SSO Settings can only be accessed by Admin users and are enabled per team.

screen readers look here

Before getting started with SSO

Catalytic uses SAML 2.0 for SSO and a self signed certificate for SAML assertion encryption. We also support CA signed certificates if your SSO implementation requires it鈥攃ontact Catalytic Support to get this set up for your organization.

During setup, configure your Identity Provider to use the user鈥檚 email address as the NameID. Catalytic does not support any custom attributes and any custom attributes passed to Catalytic will be ignored.

Catalytic does not have built-in support for Two Factor Authentication (2FA). To require 2FA for users logging into your team, use an Identity Provider (IDP) that has 2FA enabled.

We use a self signed certificate for SAML which is provided in the metadata downloadable from the SSO page.

Required Setup

Set up a connection with your identity provider using the configuration settings below, then configure SSO in Catalytic.

To make sure implementation is seamless, Catalytic can test your SSO configuration in a testing environment before implementing it in production. Contact Catalytic Support if you鈥檙e interested in testing SSO.

Step 1. Configure with your identity provider

To configure SSO, you first create a connection within your IdP using information from Catalytic. Set up requires a unique ACS URL and Entity ID, which Catalytic provides from the SSO Settings page.

screen readers look here
Note that with some IdP's, the ACS URL is called the "Reply URL" and the Entity ID is called the "Identifier"

Follow the steps supplied by your IdP to configure a connector for Catalytic. Your IdP may support uploading a metadata file to expedite SSO setup. If so, you can Download the Metadata and upload it to your IdP to prepopulate the required fields.

Step 2. Create the SSO integration in Catalytic

After creating the connection, finish the setup in Catalytic. An Entity ID, Login URL, and Signing Certificate is required. Your IdP should provide these after completing step 1.

  1. From the SSO Settings page, select Enable Single Sign-On

    screen readers look here
  2. Fill out all required fields.

    馃挕Tip: Your IdP may provide a downloadable metadata file to expedite SSO setup. Look for this file during configuration and upload it into the Metadata file field to prepopulate the required fields.

  3. Once SSO is configured, select . Then flip the in the top right. Return to this page to edit your configuration at any time.

Important information after SSO is enabled

When SSO is enabled for a team, SSO is the only authentication method allowed and users can no longer log in using their Catalytic password. Any changes to the SSO settings will affect your team immediately.

Catalytic does not support user provisioning with SAML 2.0. After configuring SSO, you鈥檒l continue to create, update and deactivate Catalytic users within Catalytic, either manually from the Team Page or by building a user provisioning process using actions like: Workflow: Create a User, Workflow: Update a User, Workflow: Deactivate a User

Single Logout (SLO)

SLO lets your IdP control the log out parameters for users. Catalytic does not support Single Logout (SLO). Users who authenticated using SSO will stay logged in until their Catalytic session expires.

If a user attempts to log out of Catalytic, they will go through the SSO login flow. If their user is authorized to use Catalytic by the IdP, they will be re-authenticated. If their access to Catalytic has been revoked in the IdP, they will be logged out.

Get help with a problem or question

If something鈥檚 not working as expected, or you鈥檙e looking for suggestions, check through the options below.

What happens to users on my team after I enable SSO?

Users in Catalytic who are provisioned in your IdP will stay logged in, or may be asked to log in through their SSO account.

Users in Catalytic who are not provisioned in your IdP are logged out. Depending on your IdP, unprovisioned users are redirected to a splash page that explains they do not have access. In some cases this may not happen until they refresh their browser or log out.