Single Sign-On (SSO)
Each organization can connect its own identity provider (IdP) so members sign in through your company’s SSO instead of (or in addition to) a password. Catalyst Networks supports two provider types:
- SAML 2.0 — for Okta, Entra ID / Azure AD, OneLogin, and other SAML IdPs.
- OIDC / Google — either Google Workspace or a generic OpenID Connect provider.
SSO is configured per organization and is independent from every other org’s settings.
Reaching the SSO Settings
SSO configuration is limited to organization owners and admins. With your organization selected, open SSO in the sidebar, or go directly to:
/sso/<org-slug>/configure/Fill in the provider details (below), save, then use the enable toggle. The app refuses to enable SSO until the required fields for your provider type are present, so configure first and enable second.
SAML Setup
On the configure page, select the SAML provider type and paste the values from your IdP:
| Field | Where it comes from |
|---|---|
| IdP Entity ID | Your IdP’s issuer / entity ID |
| IdP SSO URL | The IdP’s Single Sign-On (HTTP-Redirect) endpoint |
| IdP X.509 certificate | The IdP’s signing certificate, in PEM form without the -----BEGIN/END CERTIFICATE----- header and footer |
| IdP SLO URL | Optional single-logout URL |
Service Provider (SP) details for your IdP
The configure page shows the SP values you register on the IdP side. Catalyst Networks acts as the SP, and the endpoints are derived from your org slug:
| SP value | URL |
|---|---|
| SP metadata | /sso/<slug>/metadata/ |
| Assertion Consumer Service (ACS) | /sso/<slug>/acs/ |
| SP Entity ID | The SP metadata URL above |
You can hand your IdP either the metadata URL directly or the individual ACS/entityID values. Catalyst Networks requires that assertions and messages are signed by the IdP.
Attribute (email) mapping
The SP reads the user’s identity from the SAML assertion. The email attribute is required — by default it maps to the standard claim:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressFirst name and last name have similarly standard defaults (givenname / surname). Override any of these to match the attribute names your IdP actually emits. If no email is received, the login is rejected.
How users log in
Members start SAML login at either:
/sso/<slug>/login/— direct, if they know the org slug, or/sso/login/— an org lookup form that redirects to the right slug.
The IdP posts its response back to the ACS endpoint, the user is signed in, and returned to the dashboard.
OIDC / Google Setup
Select the OIDC / Google provider type, then choose a mode:
Google Workspace requires:
- Client ID and Client Secret (from your Google Cloud OAuth credentials)
- Allowed email domain (restricts sign-in to your Workspace domain)
Generic OIDC requires:
- Issuer URL
- Client ID and Client Secret
Optional claim mappings default to email, given_name, family_name, and sub, with scopes openid email profile. The configure page displays the exact redirect/callback URL to register with your provider:
- Google:
/accounts/google/login/callback/ - Generic OIDC:
/accounts/oidc/<provider-id>/login/callback/
OIDC login is delegated to the underlying auth layer; members initiate it from the same org login entry points as SAML.
Just-in-Time (JIT) Provisioning
Two settings control what happens when someone signs in via SSO who is not yet a member:
- Auto-create users (on by default) — creates a Catalyst Networks account automatically on first successful SSO login. With it off, the user must already have an account, or the login is rejected with “No account found for this email.”
- Default role — the role assigned to auto-provisioned users. Only member or admin may be chosen (default: member).
There is also an enforce SSO option: when enabled, members of the organization must log in through SSO and password login is disabled for them. Disabling SSO also clears enforcement.
Troubleshooting
Behind a TLS-terminating proxy, set the public base URL. The SP metadata, ACS URL, and SP entity ID are built from the application’s configured base URL. If the app sits behind a reverse proxy that terminates TLS, that base URL must be set to the public HTTPS host (for example https://app.catalystnetworks.io) — otherwise the metadata/ACS/entityID render with an internal host or http, and the IdP’s assertion will not match the SP the app expects. This mismatch is the most common cause of SAML failures behind a proxy.
Enable fails with a “required fields” error. SAML needs IdP Entity ID, SSO URL, and X.509 certificate before it can be enabled. Google OIDC additionally needs client ID, client secret, and an allowed domain; generic OIDC needs an issuer URL.
“No email address received from identity provider.” Your IdP isn’t sending the mapped email attribute — check the attribute mapping against what the IdP emits.
Next Steps
- Organizations & Roles — how roles and JIT default roles interact
- Web Dashboard Overview — the full map of the dashboard