Skip to content

Single Sign-On (SSO)

Each organization can connect its own identity provider (IdP) so members sign in through your company’s SSO instead of (or in addition to) a password. Catalyst Networks supports two provider types:

  • SAML 2.0 — for Okta, Entra ID / Azure AD, OneLogin, and other SAML IdPs.
  • OIDC / Google — either Google Workspace or a generic OpenID Connect provider.

SSO is configured per organization and is independent from every other org’s settings.

Reaching the SSO Settings

SSO configuration is limited to organization owners and admins. With your organization selected, open SSO in the sidebar, or go directly to:

/sso/<org-slug>/configure/

Fill in the provider details (below), save, then use the enable toggle. The app refuses to enable SSO until the required fields for your provider type are present, so configure first and enable second.

SAML Setup

On the configure page, select the SAML provider type and paste the values from your IdP:

FieldWhere it comes from
IdP Entity IDYour IdP’s issuer / entity ID
IdP SSO URLThe IdP’s Single Sign-On (HTTP-Redirect) endpoint
IdP X.509 certificateThe IdP’s signing certificate, in PEM form without the -----BEGIN/END CERTIFICATE----- header and footer
IdP SLO URLOptional single-logout URL

Service Provider (SP) details for your IdP

The configure page shows the SP values you register on the IdP side. Catalyst Networks acts as the SP, and the endpoints are derived from your org slug:

SP valueURL
SP metadata/sso/<slug>/metadata/
Assertion Consumer Service (ACS)/sso/<slug>/acs/
SP Entity IDThe SP metadata URL above

You can hand your IdP either the metadata URL directly or the individual ACS/entityID values. Catalyst Networks requires that assertions and messages are signed by the IdP.

Attribute (email) mapping

The SP reads the user’s identity from the SAML assertion. The email attribute is required — by default it maps to the standard claim:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

First name and last name have similarly standard defaults (givenname / surname). Override any of these to match the attribute names your IdP actually emits. If no email is received, the login is rejected.

How users log in

Members start SAML login at either:

  • /sso/<slug>/login/ — direct, if they know the org slug, or
  • /sso/login/ — an org lookup form that redirects to the right slug.

The IdP posts its response back to the ACS endpoint, the user is signed in, and returned to the dashboard.

OIDC / Google Setup

Select the OIDC / Google provider type, then choose a mode:

Google Workspace requires:

  • Client ID and Client Secret (from your Google Cloud OAuth credentials)
  • Allowed email domain (restricts sign-in to your Workspace domain)

Generic OIDC requires:

  • Issuer URL
  • Client ID and Client Secret

Optional claim mappings default to email, given_name, family_name, and sub, with scopes openid email profile. The configure page displays the exact redirect/callback URL to register with your provider:

  • Google: /accounts/google/login/callback/
  • Generic OIDC: /accounts/oidc/<provider-id>/login/callback/

OIDC login is delegated to the underlying auth layer; members initiate it from the same org login entry points as SAML.

Just-in-Time (JIT) Provisioning

Two settings control what happens when someone signs in via SSO who is not yet a member:

  • Auto-create users (on by default) — creates a Catalyst Networks account automatically on first successful SSO login. With it off, the user must already have an account, or the login is rejected with “No account found for this email.”
  • Default role — the role assigned to auto-provisioned users. Only member or admin may be chosen (default: member).

There is also an enforce SSO option: when enabled, members of the organization must log in through SSO and password login is disabled for them. Disabling SSO also clears enforcement.

Troubleshooting

Behind a TLS-terminating proxy, set the public base URL. The SP metadata, ACS URL, and SP entity ID are built from the application’s configured base URL. If the app sits behind a reverse proxy that terminates TLS, that base URL must be set to the public HTTPS host (for example https://app.catalystnetworks.io) — otherwise the metadata/ACS/entityID render with an internal host or http, and the IdP’s assertion will not match the SP the app expects. This mismatch is the most common cause of SAML failures behind a proxy.

Enable fails with a “required fields” error. SAML needs IdP Entity ID, SSO URL, and X.509 certificate before it can be enabled. Google OIDC additionally needs client ID, client secret, and an allowed domain; generic OIDC needs an issuer URL.

“No email address received from identity provider.” Your IdP isn’t sending the mapped email attribute — check the attribute mapping against what the IdP emits.

Next Steps